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Invited Talk: A Software Engineering Program 
of Lasting Value 
(Abstract) 



David L. Parnas, P.Eng 

NSERC/Bell Industrial Research Chair in Software Engineering 
Director of the Software Engineering Programme 
Department of Computing and Software 
Faculty of Engineering, McMaster University 
Hamilton, Ontario Canada L8S 4L7 



Engineering educators have long recognised that it is their obligation to prepare 
students for a professional career that may last 40 years in rapidly changing 
fields. Good engineering educators know that they must focus on fundamental 
ideas and teach students how to apply those ideas. Thus, although I studied 
Electrical Engineering at a time when semiconductor research was considered 
useless theory by many of my teachers, most of my textbooks are still valid and 
still useful. In contrast, most of the computer books on my shelves are out-of-date 
and irrelevant. 

It is clear that a Software Engineering program cannot attempt to keep up 
with the latest. If we teach today’s newest ideas, much of what we teach will be 
considered out of date before the students graduate. On the other hand, students 
who end up working in environments that use older tools will not be prepared 
for that job. 

It should also be clear that we must teach students things that they will be 
able to apply and show them how to apply what they have learned. Otherwise 
they will ignore their education when they leave the University. 

In designing McMaster University’s Software Engineering program, we con- 
cluded we should not teach anything that would not have been useful (if known) 
20 years ago and will not be useful 40 years from now. We also took the attitude 
that we should not teach theory unless we could show how to use it and we 
should not teach any pragmatic techniques unless we could show that ’’theory” 
proved that the technique was sound. 

The result of applying these principles is a program that is very different from 
most Computer Science programs. While students use the latest technology in 
the laboratories, the lectures, homework, and examinations focus on more fun- 
damental material. Classical mathematics, material that is certainly of lasting 
value, is at the heart of the program. The other courses build on that mathemat- 
ical foundation. There are many practical courses in which student teams build 
well-structured and well-documented software but mathematics and science are 
applied in each one. 

The talk will provide a description of our new program including some details 
about the key courses. 

T. Rus (Ed.): AMAST 2000, LNCS 1816, pp. 1-1, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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Abstract. We can integrate formal methods into an existing under- 
graduate curriculum by focusing on teaching their common conceptual 
elements and by using state of the art formal methods tools. Common 
elements include state machines, invariants, abstraction mappings, com- 
position, induction, specification, and verification. Tools include model 
checkers and specification checkers. By introducing and regularly revisit- 
ing the concepts throughout the entire curriculum and by using the tools 
for homework assignments and class projects, we may be able to attain 
the ideal goal of having computer scientists use formal methods without 
their even realizing it. 
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i o v i tion in ition to t sting is goo st st . tu nts s oul g t 

in t it o w iting in o m 1 s i tions loo inv i nts n t min tion 

gum nts in t i omm nts. 

Data Structures and Algorithms. is ou s 1 n s its 1 n tu lly to 

int o u ing n x ising notions o st tion s nt tion inv i nts in 

u tiv oo s n st t m in s. 




6 



Jeannette M. Wing 



Programming Principles. is is t t ition 1 ou s t t m ny s ools 

us to t t on ts o og m s i tion n v i tion. t m y m k 

s ns to visit t is ou s i som o t m t i 1 is ist i ut oss t ot 

s. t n gi M lion w us t is ou s to t t un tion 1 og mining 
1 ngu g igm (w us ML wit vy m sis on ty s ( s w k s i 

tions mo ul s (int s v sus im 1 m nt tion om osition n st 

tion t niqu s n t ou s m nt “ o wit oo in min ( u siv 

og ms In t ms lv s to in u tiv oo s . 

Programming Languages. is ou s ovi s t o o tunity to visit 
mo o m lly t on ts sin only in o m lly u ing t stu nts 

st y .o x m 1 w n giv s m nti s o im tiv n o j t o i nt 

og mining 1 ngu g s in t ms o st t m in s. n us logi og m 

ming 1 ngu g s to illust t v nt g s n is v nt g s o using x ut 1 
s i tions i. . w s i tions o n vi vs. 

Compilers. nsl to s n int t s y nition ovi i x m 
Iso st tion m ings ( ning o simul ting on m in in t ms o 

not . o tn ss s ving t ns o m tions qui st t m nts o inv i 

nts ( o m 1 o not n soun n ss gum nts ( o m 1 o not . g t m in s 
( om il k n s just st t m in s. is ou s om s los to t 

i 1 w stu nts using som 1 m nts o o m 1 m t o s wit out 1 

i ing it. 

Software Engineering, tu nts n om 1 m nt t us o in o m 1 
tools n s mi o m 1 sign m t o s su s ML wit t us o o m 1 on s 

.g. mo 1 k s n s i tion k s. woul t 1 to in 
t o u sign k s su s it i k n 1 o . 

Computer Architecture, tu nts n us mo 1 k s su s M 
to v i y o ti s o sim 1 i uits sim 1 o sso signs us oto ols 

n o n oto ols. 

Operating Systems, tu nts n us mo 1 k s to k s ty o 
ti s .g. om om lo k o v ious mutu 1 x lusion lgo it ms ( .g. 
t son s ti k lgo itmoLmots k y lgo it m n wit v 
ious syn oni tion imitiv s ( .g. s m os mut x lo ks on ition v i 

1 s . 

Networking, tu nts n us mo 1 k s to k o ti s o sim 1 
n two k oto ols. ( n gi M lion un g u t i n ono s t sis using 
it i k to is ov fl w in t Mo il v6 oto ol 00 . 

Databases. nus 1 tion It s s n ot t mo Is to is uss 
11 fl vo s o inv i nts. ns tion 1 syst ms qui un st n ing x utions 

0 s v 1 vio onsist n y ( o tn ss onst ints n int n u 
to on u n y. 

User Interfaces. Mo ling t us nvi onm nt n syst ms s t o 
int ting on u nt o ss s n ovi t oun tion o us g s n ios. 

sing mo 1 k s su s m k s s ns 

n g u t u 1 v 1 1 tiv s su s ti i 1 nt llig n n 

1 s sum ly o ot o o tuniti s s w 11. 




Weaving Formal Methods 
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4 Future Work 

11 1 1 wo k is utu wo k. i s sk t in t is just i s o 

w t mig t ossi 1 . wit wo king out t t ils. igg st 

0 st 1 is g tting “ uy in om ou oil gu s onvin ing o inst u to s u 

i ul ommitt s n minist to s t t int g ting o m 1 m t o s unint u 

siv ly is goo t ing to o. 

Iso w il iloso i lly in tion 1 w gu to m si on ts 
not not tion on t not tion is t onv yo o st t i s. o tiv ly 

w v in t t ing o 1 m nt 1 on ts wit xisting ou s s m ns t 

ing not tions n m t o s to t 1 ngu g s 1 y in us . o xml using 
/ v m k s s ns to us in t st u tu s n lgo it ms ou s t ug t 

in v ut using tools o t t s m ou s m y qui too mu ition 1 

ov 

nitty g itty utu wo k is in t inking o t x m 1 s to us in 

1 tu s in signing o i t om wo k n x m o 1 ms n in m king 

1 ning t s on ts n tools njoy 1 . 

o not v to o v yt ing n w o not v to o v yt ing 11 t 

on . n gin o x m 1 y is ussing st t m in s in og mining 

1 ngu g s ou s n y int o u ing mo 1 k s in om wo k ssignm nt 
o oj t o om ut it tu ou s . m in t ing is to st t oing 

som t ing! 
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Invited Talk: Making Mathematical Methods 
More Practical for Software Developers 

(Abstract) 



David L. Parnas, P.Eng 

NSERC/Bell Industrial Research Chair in Software Engineering 
Director of the Software Engineering Programme 
Department of Computing and Software 
Faculty of Engineering, McMaster University 
Hamilton, Ontario Canada L8S 4L7 



There is a startling contrast between classical engineering disciplines and Soft- 
ware Engineering. Electrical, Mechanical, and Civil Engineers learn a lot of math- 
ematics and they actively use that mathematics when designing new products 
or processes. In contrast, most software developers see mathematics as nearly 
irrelevant to their work and some educational programs deliberately neglect tra- 
ditional mathematics. 

At the Software Enginering Research Group at McMaster University we be- 
lieve that one of the reasons for the limited use of mathematics by software 
developers is the inappropriateness of what is often called ’’formal methods”. 
Many advocates seem to view ’’formal methods” as an ’’add on” to program- 
ming. We view mathematics as an integral part of the work of the Engineer. 

There are obvious problems in using such tools as Z and VDM. Complete 
specifications written in these languages are often longer, and more difficult to 
understand than the code itself. Writing specifications in these languages often 
looks suspiciously like programming and practitioners wonder why they should 
not just write a program and let it serve as its own documentation. 

We believe that there are two problems with the best known methods: 

1. They provide models of software rather than summary descriptions of be- 
havior 

2. They use complex expressions that are difficult to parse and understand. 
Our response has been: 

1. to focus on functional/relational methods that summarize the required be- 
havior rather than show how it might be implemented. 

2. to introduce and define the meaning of multi-dimensional mathematical ex- 
pressions (mathematical tables). 

These two ideas have allowed us to build a set of prototype tools. Using these 
tools we have been able to explore what mathematics can do for the program 
designer. The mathematics we use is old, and we use it in the same way that 
mathematics is used in classical engineering. 

T. Rus (Ed.): AMAST 2000, LNCS 1816, pp. 9-10, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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The talk will describe the fundamentals of our approach and then describe 
some of the prototype tools and how they would be used. We will demonstrate 
that classical mathematics is superior in many ways to newer ’’formal methods”. 
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Abstract. he eh vio o e ctive systems is typic lly specifie y 
st te m chines his esults in n ope tion 1 esc iption o how system 
p o uces its output n lte n tive n mo e st ct pp o ch is to ust 
speci y the el tion etween the input n output histo ies o system 
n this wo k we p opose w y to com ine st te- se n histo y- se 
specific tions st ct communic tion histo y p ope ties o system com- 
ponents cnee ive om tempo 1 lo ic p ope ties o st te m chines 
he histo y p ope ties c n then e use to e uce lo 1 p ope ties o 
complete system 



1 Introduction 

o llow pre ise re soning out h r - or so tw re system m them ti 1 
oun tion or oth systems n properties is prerequisite, or some 1 sses 
o systems — in p rti ul r lo ke h r w re — tempor 1 logi s h ve een use 
su ess ully to orm lize n to re son out their properties. 

empor 1 logi n mo el he king re less su ess ul however when the 

t flow etween loosely ouple omponents th t ommuni te syn hronously 
vi ommuni tion h nnels is ex mine . or su h systems 1 k ox view 

whi h just rel tes input n output is more use ul th n the st te- se gl ss 

ox view o omponent. 1 k ox properties o t flow omponents n 
systems n e on isely ormul te s rel tions over the ommuni tion his- 
tory o omponents 7 8 ; su h properties re inherently mo ul r n llow e sy 
re soning out the glo 1 system eh vior. 

or in ivi u 1 t flow omponents however st te- se gl ss ox view 
is help ul. t te m hines re goo esign o uments or omponent ’s im- 
plement tion. oreover they provi e n oper tion 1 intuition th t n i in 
stru turing proo s ety properties or ex mple re typi lly shown using in- 
u tion over the m hine tr nsitions. 

n this p per we show — se on the i e s o roy’s verifi tion o the 
Item ting it roto ol 6 - how spe ifi tions o the 1 k ox view o 
system or system omponent n e system ti lly erive rom st te m hine 
spe ifi tions o the omponents. hus we ri ge the g p etween te hniques or 

* his wo k is suppo te y the within the Son e o schun s e eich 3 2 

T. Rus (Ed.): AMAST 2000, LNCS 1816, pp. 11-25, 2000. 

( c ) Springer- Verlag Berlin Heidelberg 2000 
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e sy verifi tion o t flow properties n more oper tion 1 es riptions th t 
re lose to efii ient implement tions o system. 

he p per is stru ture s ollows n the next se tion we intro u e some 
m them ti 1 on epts n not tions. 2 n 3 es ri e history spe ifi tions 
or the 1 k ox view n st te m hines or the gl ss ox view o omponent 
respe tively. n 4 we present verifi tion rules or tempor 1 logi properties th t 
re use in to rel te the 1 k ox n gl ss ox views o omponent. n 
6 we emonstr te how the 1 k ox views support omposition 1 re soiling 
out system, he on lusion in 7 gives n outlook on uture work. 

2 History Relations 

t flow system is network o omponents. li omponent h s input n 
output ports, orts o ifferent omponents re onne te y ire te h n- 
nels. ommuni tion over these h nnels is syn lironous mess ge uffers re 
ssume to e un oun e . he 1 k ox view o t flow system reg r s 
only the ommuni tion etween omponents n str ts rom the intern 1 
workings insi e the omponents. 

ystems in the 1 k ox view re mo ele s rel tions over ommuni tion 
histories, he rel tions re expresse using ormul s in pre i te logi where 
the ormul ’s ree v ri les r nge over streams. h ree v ri le represents the 
ommuni tion history over one o the omponent’s input or output ports. 

here is ri h m them ti 1 sis or this system mo el 7 8 ; this se tion 
ont ins only short overview over the on epts use in the rest o the p per. 



2.1 Streams 

he ommuni tion history etween omponents is mo ele y streams, stre m 
is finite or infinite sequen es o mess ges. inite stre ms n e enumer te 
or ex mple 12 3 10 ; the empty stre m is enote y . or set o 

mess ges Msg the set o finite stre ms over Msg is enote y Msg* th t o 
infinite stre ms y Msg . y Msg“ we enote Msg* Msg . iven two stre ms 
s t n j N #s enotes the length os. s is finite #s is the num er o 
elements in s; i s is infinite #s oo. e write or the on ten tion o 

s n t. s is infinite s t s. e write s t i s is prefix o t i.e. i 

3 m Msg“ s^u t. he j-tli element o sis enote ysj i 1 j #s; 

it is un efine otherwise, ft s enotes the first element o stre m i.e. ft s si 

i s 

he prefix rel tion is p rti 1 or er. he set o stre ms Msg w together 
with orms omplete p rti 1 or er ( ; the empty stre m is the le st 

element in this . his me ns th t or every li in Sj i N o stre ms 

where or e hi s t s l+ i there is unique le st upper oun | | s^ i N . 

pre i te where the ree v ri les r nge over stre ms M u is admissible i 

it hoi s or the limit o h in o v lu tions or its v ri les provi e th t it 
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hoi s or e h element o the h in. e then write adm . ynt ti 1 riteri 
or missi ility n e oun in 12 . 

tre m on ten tion n the prefix or er n e exten e pointwise to 
tuples o stre ms; ontinuity o un tions n missi ility o prefix n Iso e 
efine or stre m tuples. 



2.2 Component Specification 

igure 1 shows the system stru ture o oun e tr nsmission system with 
three omponents sen er re eiver n uffer with p ity or N 2 
t mess ges. or now we just ex mine the sen er. 







. x Msg J 




y Msg J 






) Sen e 


ack Signal 


ueue 

1 


req Signal 


eceive < ► 




1 


r 




r 





Fig. 1. oun e uffer 



he 1 k ox view o the sen er is spe ifie y giving set o input h nnel 
i entifiers I n set o output h nnel i entifiers O (where I fl O 0 to 
efine its inter e. he eh vior is spe ifie y pre i te with ree v ri les 
rom I n O. h h nnel i entifier h s n ssigne type th t es ri es the 
set o mess ges llowe on th t h nnel. ypi lly we write the spe ifi tion in 
the ollowing style 

Sender 

in i Msg ack Signal 

out x Msg 

x i 

#x minimi 1 #ack 



ntuitively the sen er eh ves s ollows n h nnel x it orw r s the mes- 

s ges it re eives on h nnel i in the s me or er ut possi ly not 11 o them. 

his s ety property is enote y the first ssertion. he se on ssertion on- 
t ins oth s ety n liveness p rt or liveness it em n s the sen er to sen 
at least the num er o mess ges it re eives on v, ut only s long s e h mess ge 

is knowle ge ; the s ety p rt sserts th t at most this num er is re eive . 

he spe ifi tion p ttern o the sen er is typi 1 or history spe ifi tions 
he spe ifi tion is onjun tion o prefix expressions whi h restri t the t 
v lues on the output h nnels n (in- equ lities whi h spe i y the length o 
the output histories in terms o the length o the input histories. 
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2.3 Component Composition 

he history rel tion o ompose system n e erive rom the history rel - 

tions o its omponents. omponents m y sh re input lr nnels ut e h output 
h nnel must e ontrolle y only one single omponent. his is pture in 
the efinition o omp ti ility wo omponents in 2 re compatible i they 
o not sh re output h nnels 0 1 fl O 2 0. 

he result o the omposition note s 1 (g) 2 is g in system spe ih - 
tion. h nnels with i enti 1 n mes re onne te the output o the omposi- 
tion is the union o the two omponent ’s output h nnels n the input o the 
omposition onsists o those input h nnels tli t rem in un onne te . 

1 i 0 2 (I 1 1 2 (o ! o 2 0 10 2 o 1 o 2 

he eh vior o the ompose system is efine s the onjun tion o the om- 
ponent eh vior pre i tes. 

3 State Machines 

t te m hines re more oper tion 1 w y to spe i y t flow omponents th n 
history rel tions. e use the term state machine oth or the str t synt x 
(st te tr nsition systems 3.2 n or the on rete gr phi 1 represent tion 

(st te tr nsition i gr ms 3.4 . he exe utions o st te tr nsition systems re 

efine in 3.3. 

irst we give orm 1 efinition o v ri le v lu tions or n ssertion. ri- 
le v lu tions llow us to t lk out the v li ity o ssertions in the ifferent 
st tes o st te m hine exe ution. 

3.1 Variable Valuations 

e ssume 11 (infinite set V ar o v ri le n mes. v lu tion OL is un tion 
th t ssignstoe hv ri le inVar v lue rom the v ri le’s type, y free( we 
enote the set o ree v ri les in logi 1 ormul . n ssertion ev lu tes 
to true when e h v ri le v free( is repl e y a(v we write OL 

ri le n mes n e primed or ex mple v is new v ri le n me th t 
results rom putting prime ehin v. e exten priming to sets V df v v 
V n to v lu tions iven v lu tion OL o v ri les inVar OL is v lu tiono 
v ri les in V with OL (v Ct(v or 11 v ri les v Var. riming n Iso 

e exten e to pre i tes un tions n other expressions x h is n ssertion 
with free (if" V then 'h is the ssertion th t results rom priming 11 ree 
v ri les. 

Note th t n unprime v lu tion OL ssigns v lues to 11 unprimed v ri les 
while prime v lu tion f3 only ssigns v lues to 11 primed v ri les. n 
ssertion ont ins oth prime n unprime v ri les we nee two v lu tions 
to etermine its truth. ev lu tes to true when e li unprime v ri le v 
free( is repl e y Ql(v n e h prime v ri le v free( is repl e 
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y(3(v we write a (3 . wo v lu tions coincide on su set V Var i 

v V ot(v (3(v . e then write a v (3. 

3.2 State Transition Systems 

st te tr nsition system is tuple (/ O A where I O A re sets 

o v ri les. st te o our system is es ri e y v lu tion a tlr t ssigns 
v lues to 11 v ri les in V df I O A. is n ssertion with free( V th t 
lr r terizes the initi 1 st tes o the st te tr nsition system. is finite set o 
tr nsitions; e lr tr nsition is n ssertion with free( V V . he 

tuple elements h ve to o ey the ollowing restri tions. 

he sets I n 0 with I n 0 0 ont in the input n output h nnel 

v ri les. he v ri les r nge over finite stre ms whi h represent the ommu- 

ni tion history to n rom the omponent. he set A ont ins lo 1 st te 

ttri utes s e.g. v ri le or ontrol st te n v ri les or t st tes. 

ition lly A ont ins or every i I v ri le i . hese v ri les lrol the 
p rt o the extern 1 input stre m i th t h s Ire y een pro esse y . he 
restri tions on the initi liz tion n tr nsition ssertions ehne elow ensure 
th t i i lw ys hoi s. e n there ore ehne i + s the p rt o the mess ge 
history th t h s not yet een pro esse y i i ^ i + . 

he ssertion lr r terizes the initi 1 st tes o the system. e require 
to e s tish le or r itr ry input stre ms 

3a a ( (3 (3 OUA a [3 ) 

n to ssert th t initi lly no input h s een pro esse n no output h s yet 
een pro u e 

A* A ° 

i I o O 

he set ont ins the llowe tr nsitions o . very tr nsition is n 

ssertion over V V n rel tes st tes with their su essor st tes. nprime 

v ri les in re v lu te in the urrent st te while prime v ri les re v lu- 

te in the su essor st te. 11 tr nsitions must gu r ntee th t the system oes 
not t ke k mess ges it Ire y sent th t it n not un o the pro essing o 

input mess ges th t it n only re mess ges th t h ve een sent to the om- 
ponent n th t it oes not h nge the v ri les or input stre ms sin e these 
re ontrolle y the environment 

yy o o yy * i yy * * yy * * 

o O i I i I i I 

n ition to the tr nsitions in there is n impli it environment transition e . 
his tr nsition is ehne to llow the environment to exten the input while it 
le ves the ontrolle v ri les v O A un lr nge 

e A V V /\i i 

v O A i I 
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tr nsition is enabled in st te a written s a En( ) iff there is st te f3 
su h th t a (3 

3.3 Executions 

n execution o is n infinite stre m o v lu tions th t s tisfies the 

ollowing three requirements 

1. he first v lu tion in s tisfies the initi liz tion ssertion 

1 

2. h p ir o su sequent v lu tions k n (k 1 in re rel te either 
y tr nsition in or y the environment tr nsition e 

k (k 1 «= \/ 

T 

3. h tr nsition o the is t ken infinitely o ten in n exe ution 

unless it is is le infinitely o ten (we k irness 

( k 31 k l En( )) ( k 31 k l (l 1 ) 

y we enote the set o 11 exe utions o system . 

3.4 State Transition Diagrams 

ypi lly st te tr nsition systems re spe ifie y state transition diagrams 
( s . e use su set o the synt x rom the tool AutoFocus 

9 . s re ire te gr plrs where the verti es represent ( ontrol st tes n 
thee ges represent tr nsitions etween st tes. ne vertex is esign te s initial 
state; gr phi lly this vertex is m rke y n op que ir le in its le t h 1 . ges 
re 1 ele ; e lrl el onsists o our p rts represente y the ollowing s hem 

Precondition Inputs > Outputs Postcondition 

Inputs n Outputs st n or lists o expressions o the orm i x n o exp ( i 
I o O respe tively where x is onst nt v lue or (tr nsition-lo 1 v ri le 
o the type o i n exp is n expression o the type o o. he Precondition is 
oole n ormul ont ining t st te v ri les n tr nsition-lo 1 v ri les s 
ree v ri les while Postcondition n exp m y Iso ont in prime v ri les. 
he istin tion etween pre- n post on itions oes not in re se the expres- 
siveness ut improves re ility. the pre- or post on itions re equiv lent to 
true they n e omitte . 

he in orm 1 me ning o tr nsition is s ollows the v il le mess ges 
on the input h nnels n e m t he with Inputs the pre on ition is true n 
the post on ition n e m e true y ssigning proper v lues to the prime 
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Sender 



ild t> x d 




acklb t> 



Receiver 



yl d t> o d, req ® 




(^iT nit ^ reg ( *> eceive^^ 



Queue #q < N — 1 xld t> 




Fig. 2. en er e eiver n ueue s 



v ri les then the tr nsition is en le . the tr nsition is exe ute the inputs 
re re the outputs re written n the post on ition is m e true. 

igure 2 shows the s o sen er queue n re eiver o the tr nsmission 
system (see ig. 1 . g in we o us on the sen er omponent the sen er 
re eives some t d on h nnel i this mess ge is imme i tely orw re on i 
n the system st rts w iting or n knowle gment mess ge on h nnel ack. 
hen the knowle gment is re eive the sen er is re y to re eive the next 
mess ge rom i. 

t te tr nsition i gr ms n e en o e s hem ti lly s st te tr nsition 
systems, or the sen er omponent the v ri le sets re efine s ollows 
I i ack O x (see ig. 1 A i ack . he st te ttri utes 
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onsist o the pro esse mess ge stre m or e ho the two input lr nnels n 
v ri le to hoi the urrent ontrol st te. 
he initi 1 ssertion o the sen er is efine s 

Transmit i ack x 

he tr nsition i rom the st te Transmit to the st te WaitAck in the sen er 
is en o e s the ollowing ssertion 

3 d Transmit We move from the source state 

WaitAck to the target state, 

ffi ffi There are unread messages in channel i. 

ft i + d Let d be the first of them, 

i i ' d which we consume 

x x d and send on channel x, 

ack ack whereas we don't read from channel ack, 

i i ack ack and leave the input channels unchanged. 

he se on tr nsition 2 o the sen er n e en o e simil rly. Note th t the 

initi liz tion n tr nsition ssertion o ey the restri tions rom 3.2. 

he queue n re eiver omponents le to simil r tr nsition ssertions. n 
se o the queue omponent there is n ition 1 v ri le q in A. niti lly 
q ; the tr nsitions lr nge q or ing to the queue . more et ile 
expl n tion o the tr nsl tion o s to ssertions n e oun in 2 . 

4 Verification Rules 

ommon te hnique or orm lizing n veri ying properties o st te tr nsition 
system exe utions is tempor 1 logi 11 . or the st te m hines o 3 we re 
not intereste in gener 1 tempor 1 logi properties ut only in two spe i 1 ses 
inv ri nts or safety properties n leadsto properties or liveness, his se tion 
intro u es verifi tion rules or these two property 1 sses. oun ness proo s o 
these n other rules — expresse in N -like orm lism — n e oun in 
2 . 

Note th t oth inv ri n e n le sto properties rel te single st tes in n 
exe ution; in these properties re use to express properties out the 
omplete ommuni tion history o exe utions. 

4.1 Invariance Properties 

o show th t ulfills s ety property we use inv ri nts. or system 

(/ O A n ssertion with free( I 0 A is n inv ri nt 

written s □ i ev lu tes to true or e lr st te in 11 exe utions o 



□ 



k k 
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o prove to e n inv ri nt we h ve to show th t lrol s initi lly n 
rem ins true un er e h tr nsition s well s un er the environment 

tr nsition e 



or 11 



□ 



Example, or the sen er the output on lr nnel x is lw ys equ 1 to the sequen e 
o mess ges rom i th t h ve Ire y een onsume 

Sender □ £ i 

he first on ition o the inv ri nt rule is ulfille sin e or the sen er initi lly 
oth x n i re empty (see 3.4 . he other two premises re ulfille sin e the 
sen er tr nsition i ppen s single mess ge to oth x n i ; or tr nsitions 
2 n £ weo serve th t oth x n i rem in un h nge . 



4.2 Leadsto Properties 

rogress o system n e expresse using the le sto oper tor E whi h 

st tes th t whenever is true or st te in n exe ution then E will e true in 
the s me or in su sequent st te in the exe ution. su lly the le sto oper tor 
is efine in tempor 1 logi s □( C>E ut or our purposes the ollowing 
sem nti efinition o E is suffi ient 



^ E k ( k (31 k IE 



or the le sto oper tor too there 

or 11 tr nsitions e 

E E 

or tr nsition 

E En( ) 
n 

E E 



E 



re verih tion rules 

or tr nsition 
#o k k 

n 

#o k k 

#0 k k 



En( ) 

#o k 
^ #o k 



he first rule is st n r verifi tion rule or liveness un er we k irness 
10 11 here is help ul tr nsition whi h is en le in 11 st tes where 

lrol s n whi h le s into st te where E hoi s (se on premise . he other 
tr nsitions re not lr rm ul in th t they le ve inv ri nt. hus the help ul 
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tr nsition rem ins en le until it is y we k irness exe ute . he se on 

rule the output extension rule is spe i liz tion o the first rule, t is use to 

prove th t n output stre m ex ee s ert in length k provi e th t suffi ient 

input is v il le. his n e es ri e y n N-v lue length expression with 
free( I whi h is monotoni in its ree v ri les. he m in ifferen e to the 
first rule is th t it is not ne ess ry to show the s ety premises o the first rule 

or this spe i 1 se they lrol trivi lly sin e h nnel v lu tions re monotoni 

with respe t to n ue to its monotoni ity the length expression n e 
proven to e non e re sing 2 . he le t h n si e o the output extension’s 

on lusion rule n e strengthene y n r itr ry pre i te T i the le t h n 

si es o the premises re Iso strengthen e y T. 

esi es the two rules ove there re num er o ition 1 rules or the 
le sto oper tor tr nsitivity we kening o the right h n si e strengthening 
o the le t h n si e. he disjunction rule om ines two le sto properties 

i T n 2 ^ then Iso ( i 2 oreover 

inv ri nts n e intro u e n elimin te on oth si es o the oper tor. 

Example, g in reg r ing the sen er we w nt to show 

Sender #x k k min{#i 1 jfack #x k 

whi h expresses th t the output on x is exten e provi e there is suffi ient 

input on i n ack expressing th t the length o the output on x is re hing t 

le st the limit min(#i 1 #ack . 

or Transmit we use the output extension rule with 1 s the help ul 

tr nsition sin e it pro u es output on x. he 1 st on ition o the rule is e sy 

to prove sin e 1 implies the extension ox y x x ^ d so th t #x 

k 1 jj=x k is trivi 1. or the se on on ition we h ve to prove th t 1 

is en le . we ssume Transmit it is en le iff there is some mess ge 

on the lr nnel i i.e. iff i is longer th n its onsume p rt i . sing the s ety 

inv ri nt rom ove this n e erive s ollows 

minimi 1 jfack k J£x #i 

or Wait Ack tr nsition 1 is not en le . nste we use the st n r 

we k irness rule to show th t y tr nsition 2 st te WaitAck is entere . he 
two results n e om ine with the tr nsitivity n isjun tion rules to erive 
the property 

Sender (( WaitAck Transmit 

#x k k min(#i 1 #ack ) ^ #x k 

t n e shown th t WaitAck Transmit is n inv ri nt; its elimin - 

tion results in the property ove 2 . 
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5 History Properties 

e intro u e two w ys to spe i y re tive systems history rel tions n st te 
m hines. he two views es ri e quite ifferent views on system sing the 

1 k ox views o history rel tions we mo el the / eh vior with stre ms; 

the rel tions o not re er to ny intern Is o the omponents n o not es ri e 

how this eh vior is hieve . sing st te m hines we on entr te on single 

steps o the system re erring to the omponent intern Is. n this se tion we 
lose the g p etween st te m hines n 1 k ox views. 

ithin st te m hine exe ution h nges in the v lu tions or the input 
n output v ri les in I O re restri te to extensions, hus the v lu tions 

0 e h input n output v ri le within n exe ution orm h in n or e h 

exe ution n e lr v ri le v I O there is le st upper oun 

](v df U ( k (v k N 

Note th t ](» is only efine or the input n output v ri les not or the 
ttri ute v ri les A o st te m hine. 

he black box view o st te m hine is set o v lu tions or the v ri les 

1 O. t is enote y n efine vi the le st upper oun s o the input 
n output histories o the m hine’s exe utions. or e h exe ution in 

there is v lu tion a in whi lr ssigns to the h nnel v ri les in I O the 
limits o the h nnel v ri le v lu tions o 

df oi 3 f\ a (i ](* f\ ol(o ](o 

i I o O 

in e oth the proper tr nsitions n the environment tr nsition e o 

st te m hine llow r itr ry extension o the input v ri le v lu tions it is 
possi le to su essively pproxim te n r itr ry input history, his me ns th t 
the 1 k ox view is tot 1 with respe t to the input v ri les o or n 
r itr ry input there is lw ys some re tion o the system, orm lly this re s 

s or e lr v lu tion a or the v ri les I O there exists v lu tion f3 or 

I O su lr th t 

a 1 (3 n /3 

5.1 Safety Properties 

n pr ti e it is iffi ult to ire tly use the 1 k ox sem nti s o st te 

m hine. nste we erive properties o the 1 k ox view rom properties 

o the st te m hine. e hni lly property o the 1 k ox view is 
pre i te with free( I O whi lr is v li or e lr v lu tion in system’s 
1 k ox view 

a a 



e then write 
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is n missi le inv ri n e property o st te m hine it hoi s not only 
in every st te o system run ut Iso or the omplete ommuni tion history 

free( I O 
adm 

□ 



he v li ity o the rule ollows rom the t th t the v lu tions o the lr nnel 
v ri les I n O orm h in. e use it is inv ri nt hoi s or every element 
o the h in. e use o missi ility it Iso lrol s in the limit. 

Example, n 4.1 we slrowe th t x i is n inv ri nt o the sen er. oreover 
x i is Iso n inv ri nt sin e i i. his pre i te is Iso missi le 12 n 
thus we n ire tly on lu e 

Sender x i 

his me ns th t the sen er implies the first h 1 o the sen er’s history 

spe ifi tion in 2.2. imil rly we n show Sender jj=x 1 #ack. 



5.2 Progress Properties 

n gener 1 progress properties expresse with the le sto oper tor nnot e 
li te to omplete exe utions. owever output extension properties ( 4.2 n 
e use to erive liveness properties o st te m hine’s 1 k ox view, n the 
ollowing rule is monotoni N-v lue expression with free( I s use 
in the output extension rule. 

k k k 

#o 



o see the v li ity o the rule ssume th t the premise hoi s ut not the 
on lusion. lrus there is n exe ution o su lr th t the length o the limit 
o the lr nnel v lu tions or o is stri tly less th n the limit o the v lu tions o 
; in p rti ul r it is equ 1 to n tur 1 num er k. his me ns th t there is n 
e rliest st te n in the exe ution where the length o the output v lu tion or o 
re Ires k. oreover there is st te m where is 1 rger th n k. in e lr nnel 
v lu tions nnot e ome shorter n is monotoni this me ns th t in 11 

st tes p where p max(n m the le t lr n si e o the premise is ulfille ut 

the right h n si e never lrol s. his viol tes the ssumption th t the premise 
is v li . 
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Example, n 4.2 we showe 

Sender #x k k min(#i 1 #ack #x k 

e n now ire tly use the ove rule to erive 
Sender #x min{#i 1 #acfc 

ogether with the s ety properties shown ove this implies the se on p rt o 
the sen er’s history spe ifi tion. 

6 Black Box Composition 

e now lr ve loser look on the omplete tr nsmission system o ig. 1. he 
sen er pushes t to the queue n w its or knowle gments n the re eiver 

requests t rom the queue; the queue itsel stores up to N (N 2 t 
mess ges. 

he eh vior o the three omponents is efine in ig. 2 y s. sing 
the te hniques o this p per we n show th t the re eiver n the queue imply 
the ollowing history rel tions 

Queue(N 

in x Msg req Signal 
out ack Signal y Msg 

V x 

#y min(#x #req 
#ack min(#x #req N — 1 

y 1 k ox omposition the history rel tion o the omplete system is 
spe ifie s ollows. he eh viour is simply es ri e y the onjun tion o the 
omponent properties. 
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rom the spe ifi tion o System(N ove we n imme i tely see th t the 
output is prefix o the input o y x i. sing the inequ lities it n Iso 
e shown y some se n lysis th t the length o the output equ Is the length 
o the input, ogether this implies 

o i 

or 11 input stre ms i. s expe te the system implements the i entity rel tion. 

he s me result oul h ve een o t ine y first omposing the three om- 
ponent st te m lrines n then eriving o i n the num er 

o verifi tion on itions or the inv ri n e n le sto properties woul h ve 
een mu h higher however, or the omposition o t flow properties history 
rel tions seem to e the more equ te str tion level. 

7 Conclusion 

n this p per we showe how st te- se n history- se spe ifi tion n 
verifi tion te hniques or s ety n liveness properties o istri ute systems 
n e om ine . t te m hine properties re expresse using st n r line r 
tempor 1 logi ; history properties re expresse s rel tions etween input n 
output stre ms. 

n rel te te hni 1 report 2 we Iso llow omposition t the level o st te 
m lrines; properties proven or the om ine system re shown to lrol Iso or 
the 1 k ox omposition o system, lr t our system is omposition 1 is ue 
to the t flow n ture o our systems omponents nnot is le tr nsitions 

o other omponents thus the system is inter eren e ree. his is quite use ul 

in pr ti e sin e it is o ten h r to fin suit le history pre i tes or e h 

omponent lthough the omplete system eh vior n e su in tly spe ifie 
in this w y. t te m hine omposition Iso helps to ir umvent the mism t h 
etween purely rel tion 1 t flow spe ifi tions n the oper tion 1 intuition 
th t w s is overe y ro k n kerm nn 3 . 

roo s or 1 rger systems espe i lly or le sto properties re o ten quite 
omplex. solution might e to use verifi tion i gr ms long the lines o 
4 11 whi h re u e tempor 1 re soiling to simple first-or er verifi tion on i- 
tions. in e the num er o verifi tion on itions or on rete systems n e 
quite 1 rge some kin o tool support is nee e . s n experiment the s ety 
properties o the ommuni tion system ex mple h ve een verifie using the 
e 1 proo environment; urrently we re orm lizing our ppro h in s- 
elle/ L 13. 

ur spe ifi tion n proo te hniques re so r only suite or time in- 

epen ent systems, he extension o history- se spe ifi tions r ises some 

interesting questions . str ight orw r solution might e to expli itly in- 
lu e “time ti ks” in the mess ge stre ms. u h time ti ks n Iso e use 
to ensure progress o st te m hine. ut Iso without expli it time progress 
is not restri te to the we k irness on ition o 3.3. n Item tive woul 
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e to just em n th t some tr nsition is t ken whenever t le st one tr nsi- 
tion is persistently en le ; some 1 sses o omponents in p rti ul r fair merge 

omponents woul then require ition 1 or le inputs. 
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Abstract. Default reasoning has become an important topic in software 
engineering. In particular, defaults can be used to revise specifications, 
to enhance reusability of existing systems, and to allow a more economic 
description of systems. In this paper we develop a framework for default 
specifications of reactive systems. 

We present a formalisation of non-monotonicity in temporal logic based 
on the notion of default institution. Default institutions were defined as 
an extension of institutions in order to allow partial reuse of existing 
modules. The semantics of defaults is given by a (generalised) distance 
between interpretations. In this way, by defining a pre-order between 
temporal morphisms and using temporal logic as a specification language, 
we get a way of handling defaults in specifications of reactive systems. 
We illustrate the developed formalism with an example in which a spec- 
ification is reused, but where the new behaviour contradicts the initial 
specification. In this example, the initial specification is seen as a default 
to which exceptions are added. 



1 Introduction 

lthou h ult r onin r t pp r 1 ithin rti i 1 int lli n 

it h orn n import nt topi in o t r n in rin . t on rn th r - 
onin on umption h 1 to tru uni th r i pi vi n 

to th ontr ry. v r 1 i u ho th n t o ult in p i tion . n 
p rti ul r ult n u to r vi pi tion th y nh n r u ility 

o i tin y t m n th y llo mor onomi ription o ytm. 

ult n 1 o u to h n 1 in on i t n i r ultin rom th om in tion 

o i r nt p r p tiv n vi op opl v lopin lr ot r ytm 

i. .in th vi point r m or [3 . 

M ny import nt omput r pro r m u h op r tin ytm n t or 

ommuni tion proto ol n ir tr ontrol ytm hi it on oin 

h viour hi lr i i lly non-t rmin tin n tlru in nit r fl tin th ir on- 

tinuou ly op r tin n tur . h y t m m int in n on oin int r tion ith 
th ir nvironm nt n int rm i t output o th pro r m n influ n u - 

qu nt int rm i t input o th pro r m. u h y t m r 11 reactive 

T. Rus (Ed.): AMAST 2000, LNCS 1816, pp. 26-40, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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h or o o u n n ur t 11 on in titution [4 h ho n th t m ny 
p t o p i tion in th 1 r n m ly th ility to put to th r m 11 

p i tion to orm th p i tion o ompl y t m p n only on 

orn prop rti o th un rlyin lo i . n titution orm li th notion o 1 
lo i 1 y t m . n ition th y provi y o 1 luin to th r th ori n 

h n y o tru turin p i tion. lthou h in titution provi y 

o tru turin p i tion th i tin p i tion n nri lr ut not 

mo i . Default institutions [10 r propo n t n ion to th notion o 

in titution in or r to n 1 p rti 1 r -u o p i tion lr y r n ri 

r m or or th tr tm nt o ption to norm on lo i n 

n r li i t n t n it int rpr t tion . y u in thi n r li tion o 
i t n th y iv m nti to th om in tion o ult mo ul ith mor 

p i in orm tion th t n ov rri th ult . n thi y in th m y 
th th ory o 1 r i p i tion i p r m t ri y in titution th ory o 

tru turin ith ption ill p r m t ri y ult in titution . 

n thi p p r v lop orm li m or non-monotoni ity in t mpor 1 lo i 
on th on pt o ult in titution. n thi r m or th m nti o 

ult ith n ption i iv n y 1 tin th mo 1 o th ption th t 

r lo po i 1 to th mo 1 o th ult or in to th iv n notion 
o i t n un tion. lr t mpor 1 in t nti tion o ult in titution llo or 

th v lopm nt o tru tur ult p i tion o r tiv y t nr . 

lthou lr v r 1 nr lr ni m lr v n propo or lr n lin ult in 
ommon- n r onin not o m ny lr v n propo or p i tion o 
r tiv y t nr . lr motiv tion n int n mo 1 o r nr or or non- 

monotoni t mpor 1 r onin out o t r y t nr or ommon- n m- 
pl r i r nt. n th y t nr int n or th i r nt purpo lr v 

to i imil r. Non-monotoni r onin i invi i 1 n virtu lly non- i t nt 
in in u try. Mor n t rn [ tri to un r t n hy non-monotoni r onin 
n in u try r o r p rt. hr on iv n r r 1 t to th t th t 
r r lr lr no u lmo t lu iv ly on pro 1 nr o ommon- n r - 

onin hil in u try i prim rily on rn ith pro 1 m hi lr pp r to 
lr v v ry littl to o ith ommon- n r onin . lthou lr in u try o r 
rtil roun or non-monotoni r r lr r it r nr in un lr rt t rritory or 

th non-monotoni ommunity [ . n th tr t y or int r tin non-monotoni 

r onin in in u try r r lr r houl mili ri th m lv ith pro 1 m 
in in u try It t to hi h non-monotoni r onin pp r to r 1- 
v nt n o u on tho pro 1 m in th ir r r h. n thi p p r o u 

on pro lmo non-monotoni ity in p i tion n th i ion m r 

influ n or in ly. 
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Mo t o th or on in t mpor 1 ult h n v lop ith ommon- 
n mpl in min . o v r [1 6 propo n t n ion to th j t 
p i tion o i ( ) [12 ith ult to rriv t h t th y 11 

j t p i tion o i ith ult ( ). i on t mpor 1 lo i 

n th int rpr t tion r or ni in pr -or r lr n on titutin pr - 

r nti 1 mo 1 [7 . i on th t mpor 1 prioriti tion ori in t rom 

lrolr m lrronolo i li nor n [11 hr rli r ult r impli itly iv n 
hi lr r priority, hi ppro lr h om pro 1 m hi h ri rom lrronolo i- 
1 minimi tion. lr uthor th m lv hi hli ht th i ulti n It 
ith th m y in p i ult ith i r nt 1 v 1 o priority, o v r 

h n p i yin y t nr i u in th i oul lr v to no tly 

hi lr ult to n hi lr 1 v 1 o priority to i n to tho ult . 

h o t 1 r on i r hr lr n v lopin th i t n t n 

t mpor 1 int rpr t tion n th y r ir tly olv throu lr th u o thi 

r nr or ; th p i r o not lr v to on i r th pro 1 m lr n u in 
th r nr or v lop lr r . ult in titution r mor po r ul th n pr - 

r nti 1 mo 1 [5 n h n i th ri ht in t nti tion i ho n th y llo u 
to 1 ith th o t 1 ir tly itlrin th r nr or . 

hi p p r i tru tur olio . tion 2 ri fly pr nt ult in ti- 

tution n th i o lr n lin ult y i t n t n int rpr t tion . 

tion 3 i th m in p rt o th p p r. t in y pr ntin th t mpor 1 
lo i th t ill u . impl mpl i th n ri hi lr ill illu - 

tr t th r m or in v lop . in lly pr nt th orm li tion o 

non-monotoni ity in t mpor 1 lo i th t i u to lr n 1 ult in th p i- 

tion o r tiv ytm. on lu in tion 4 y umm ri in th m in 

point n t hin urth r or . 

2 The Meaning of but 

lr 1 r i pi tion hool propo tron on tru t lr r n i t- 

in p i tion n nri lr ut not mo i . n [10 ult in titution 
r propo in or r to llo p rti 1 r u o i tin p i tion mo ul . 

lr y t n th n r 1 notion o lo i o institutions [4 y in lu in 

notion o i t n t n int rpr t tion . lr mo i tion o p i tion 
D ith n ption E i not y D but E r pr ntin th t ult D 

n ov rri n y mor p i prop rti E. lr m nti o D but E i 

iv n y 1 tin th mo 1 o th ption E th t r lo po i 1 to 
th mo 1 o th ult D or in to th iv n notion o i t n t n 
int rpr t tion . 

n n r 1 nt to omp r int rpr t tion th t nr y v ry i r nt in 

n tur lr r or n ytorltlmntoir nt n tur th t pi y 

imil r rol . hi i lr y on or th r nr or o 1 r i pi tion 
throu h th u o morphi m t n int rpr t tion . lr notion o i t n i 
th n n r li n omp r p ir o int rpr t tion lin y morphi m; 
i t n r th p rti ul r lr n th r i only on morphi m t n lr 




Distance Functions for Defaults in Reactive Systems 29 



p ir o int rpr t tion . nt rpr t tion morphi m (i. . p ir o int rpr t tion 
lin y n in i tion out hi h 1 m nt pi y imil r rol ) r omp r y 
pr -or r e nion morphi m (lr r n in th olio in E i i n tur ) . 
hi pr -or r lr to v ri y om on tr int in or r to ptur th motiv tion 
or h n lin ult . pi in om o th i un rlyin thi pr -or r n 

th notion o ult in titution. h orm 1 nition o ult in titution n 
urth r pi n tion n oun in [10 5 . 

to n m n n r int rpr t tion or iv n i n tur E n h m n 

n h to nr int rpr t tion morphi m intuitiv ly h m n e 

h m. n m n th t m i ‘ lo r to n ( or in to h) th n to. to n ( - 

or in to h). h minim 1 morphi m or h o th or rin e r 11 
agreements. Not th t i ntity morphi m lroul 1 y r m nt in 

h t n lo r to ny int rpr t tion th n it 1 nt int rpr t tion 

lin y minim 1 morphi m ( n r m nt) to lr v imil rly in th t 

th t morphi nr h m n i minim 1 r pr nt th t to i lo to n 

po i 1 . o u r nt th t it i th impo th t i t o int rpr t tion 

to. n n r lin y n int rpr t tion morphi nr h m n th n th prop rti 

0 to. r 1 o prop rti o n i. . i e i th to 11 ormul ith i n tur E 

th n <j) e m lh <j> (j> e n II” <fi ■ hi on ition i 11 weak abstract- 
ness [10 . ntuitiv ly thi m n th t our lo i o not llo u to loo t mor 

t il o th int rpr t tion th n th morphi m o. n ition th u u 1 on- 

ition o ymm try on i t n un tion i n to r 0 -symmetry [10 

1 th r i n r m nt rom m to n th n th r i 1 o on rom n to to. h 

t o on ition o 0- ymm try n tr tn to th r imply th t t o 

int rpr t tion lin y n r nr nt ti y tly th m ormul . n 

tr r tri tion on th pr -or r i th r quir m nt th t r nr nt lroul 
tr n p r nt ith r p t to omp ri on . hi on ition i 11 0- quiv 1 n 

n it m n th t ompo in morphi m ith n r m nt i quiv 1 nt (in 

th pr -or r) to th initi 1 morphi nr it 1 . 

h m nti o th om in tion o ult D n n ption E not 

D but Ei n u in th on pt o ( n r li ) it n iv n y th pr - 

or r on int rpr t tion morphi m . n int rpr t tion m i mo lo D but E 

i to i th om in o minim 1 morphi m mon th morphi m ho om in 

ti E n ho o om in ti D. Not th t mo 1 o D but 1? 1 y 

ti y th ption E. o pr thi orm lly om not tion i pi in 

E n D r to ormul Mor(E,D ) i th 1 o morphi m ho 

om in ti y E n ho o om in ti y D. 

Min(E, D) i th 1 o minim 1 morphi m o Mor(E, D). 

orm lly th mo 1 o th but r th olio in 

Definition 1 (Semantics of but). Let E and D be sets of formulae over a 
signature E, and m an interpretation. Then to. is a model of D but E, written 
to. lh DhntE, iff there is a morphism h Min(E,D) such that m dom(h). 

lr n u in thi m hin ry ithin p rti ul r lo i th m in hoi 
h v to nr r on th morphi m t n int rpr t tion n th pr -or r 
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t n th morphi mi.. h v to i h t i th pr -or r e- hi 
i tly h t o in th n t tion or th t mpor 1 

3 The Temporal Setting 

h tru tur o t mpor 1 r um nt n t mpor 1 i our h h n int r t 
in i r nt 1 ov r th y r pro ly r ult o th t mpor 1 to 
hum n r onin . n omput r i n th u o t mpor 1 lo i orm li m 

or p i yin n v ri yin orr tn o omput r pro r m t t y 

Pnu li in [9 n it h n i ly plor in thi 1 n m r p p r. 

n th r m in r o thi tion ri fly ri lin r propo ition 1 1 m- 
por 1 lo i n n morphi m t n t mpor 1 int rpr t tion n 

pr -or r on th m. h pr -o r pr nt lr r i t ilor y th ppli tion 

t h n n m ly p i tion ith ult . 

3.1 Propositional Temporal Logic 

h 1 n u o propo ition 1 1 mpor 1 lo i i on th 1 n u o propo- 

rtion 1 lo i ut v riou op r tor or ‘mo liti r provi to r on out 
th lr n o truth v lu o rtion ov r tim . mpl o ommon t mpo- 

r 1 op r tor in lu G ( 1 y in th utur ) F ( v ntu lly) W (uni ) X 

(n t) n U (until), h propo ition 1 t mpor 1 1 n u i n t rtin 
rom t o propo ition 1 tt r E ( in tur ). h t e o propo ition 1 

t mpor 1 ormul i th 1 t t u h th t 

lr p E i ormul ( E e)', 

i A n B r in e th n ~^A n ( A B) r in e\ 

i A n B r in e tlr n Xh n A\JB r in e- 

lr m nti o th t mpor 11 n u i iv n in t rm o frames; r m 

i n or r p ir ( W , R) lr r W i th to point in tim or r y 

in ry r 1 tion R o pr n t n th m sRt i r ‘f i t r s . n th 
qu 1 ill u th r m (N, <). n interpretation i tripl (N, <,V) 

hr Vi un tion i nin to v ry tim point f ( v ry n tur 1 num r) 
t o propo ition 1 tt r 7(f) E n m ly th t o propo ition 1 tt r th t 

r tru t th tim point t. lr m nti o ormul A ov r n int rpr t tion 

m t tim point t ritt n m lbt A i r ur iv ly n olio 

m lr< p /) E i p V(t); 

m lb t -i A i it i not th th t m lb t A; 

m lb t A B i m lb t A n m lb t B; 

m lb t XA i m lb t+ i A; 

m lb t A\JB i th r it t N ith t turn lb t / B 

n or v ry t Nit t < t th n m lb t // A. 
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y th t ormul A i valid on the interpretation m i to I ho A. h 
m nti o th oth r t mpor 1 op r tor n riv rom th 
No th t lr v n th propo ition 1 t mpor 1 lo i th pro 1 m i 

ho to n morphi m t n int rpr t tion n pr -or r on th mor- 
phi m in u lr y th t th ult in p i tion o r tiv y t m h v 
in th p t y. o motiv t th nition 1 t u loo t n mpl . 



3.2 An Example: A Ferris Wheel 




on i r rri lr 1 ith i lr ir h r lr lr ir n in on o 
i po ition . th r 1 tiv po ition o th lr ir o not lr n rom th 

po ition o on o th lr ir no th po ition o 11 th oth r v . n 

hoo on o th lr ir n rom no on 1 y t 1 out th m 

lr ir. h lr ir n in on o thr 1 v 1 1 2 or 3 n it mov 1 y in 

th m ir tion ( lo i ). lr n nr o lr po ition in i t th 1 v 1 o 

th lr ir n lr th r it i oin up or o n . . 3up in i t th t it i t 1 v 1 

3 n it i oin up. olio in thi onv ntion th n m o th po ition o 

th lr ir r lup 2up 3up 3down 2down n ldown. lr lr ir o rom lup 

to 2up n rom thi to 3up th n it o to 3down n t rt oin o n to 
2down n ldown n th n to lup in n it n v r top . p i tion o 
thi rri lr In n lo . h r t ormul t t th t th t th 

lr ir i 1 y in on o th i po ition n it i not in mor th n on t lr 

mom nt. lr oth r ormul ri th mov m nt o th lr ir. 



G((lup 2up 3up 3down 2down ldown) 
-■(lup 2up) — i(lup 3up) “'(lup 3down) 
G(lup X2up) 

G(3up X3down) 

G(2down Xldown) 



...) 

G(2up 

G(3down 

G(ldown 



X3up) 

X2down) 

Xlup) 



uppo no th t 
r lr 1 v 1 1 qui ly 



nt to n m r n y lever th t m th lr ir 
po i 1 . th lr ir i in on o th down po ition 
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th n th t t y o ttin to 1 v 1 1 i to p oin lo i . o v r 

i th h ir i in on o th up po ition th n th t thin i to r v r th 

ir tion n mov ount r- lo i . uppo th t th lever t y pu h 

until th h ir t to 1 v 1 1 h n it top n th n th lever i r 1 h 

tion o pu hin th 1 v r i 11 push n lever r pr nt th t th t 



th 


1 v r i pu lr 


lr ormul lo r pr 


nt lr t nt to 


to th 


P 


i tion. 














G(push 


lever) 




G(((3down 2down) lever) 


Xlever) 




G((lever 


3up) 


X(2up 


lever)) G((lever 


ldown) X(ldown 


-•lever)) 




G((lever 


2up) 


X(lup 


lever)) G((lever 


lup) X(lup lever)) 




nt o 


r ritin th p 


i tion rom th 


innin n on 


i rin 


pli itly lr th 


r th 


lever lr 


n pu lr or not 


nt to th 


ormul 



ption to th p i tion. D i th onjun tion o th ormul in th 

p i tion o th rri hi n E th onjun tion o th ormul th t 

ri th lever th n th mo 1 o th rri h 1 ith th m r n y 1 v r 
oul th mo 1 o th t t on tr int th t ti y D but E. o v r in 

or r to iv m nti to but h v to no h t r th morphi m t n 

int rpr t tion n ho th y r or r i. . h t i th pr -or r £. 

3.3 The Pre-order 

lr n nin th pr -or r th r t thin to not i th t not v ry ormul 

houl ov rri 1 . np rti ul r t t on tr int lr v to ri i otlr r i 

oul ti y th ption y llo in th h ir to in mor th n on 
po ition t th m tim . h ormul houl not inv li t n 

th m iom th t nnot ov rri n. lr t il o ho to o th t r 

omitt ut th i i i to on i r hi r r hi p i tion . hi r r hi 

p i tion on i t o t o p rt to iom th t orr pon to th t 
th t mu t lrol plu p rt o ult . lr ult r or ni y priority 

1 v 1 n th y pr prop rti th t r li ly to tru ut n ov rri n 

y otlr r in orm tion ith r y th iom or y ult ith hi lr r priority, 

h mo 1 o hi r r hi pi tion r th mo 1 o th iom th t ti y 

mu lr o th ult po i 1 t in into on i r tion th priority mon 
th m. lr pr -or r o morphi mi nr li to r pr -or r o mili 

o morphi m . Mor t il n oun in [5 ut h r it oul orr pon to 

on i rin or minimi tion only th mo 1 o th iom . n our mpl 

th t t on tr int i pr y th r t ormul o th pi tion o th 

rri lr 1. 

thin out ho to or r th morphi m r t po i ility hi lr olio 

rom th i in [10 oul th olio in i h m n n h m nr 
morphi m t n t mpor 1 int rpr t tion or i n tur E h m ns 

h m n i or 11 1 N 

i m disagrees ith n t t th n m disagrees ith n it 
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hr y disagree m n th t th y o not ti y th m propo ition 1 
ym ol t th t in t nt. hi nition h to imm i t pro 1 m . ir tly 

i to i r itlr n t orn point t th n h t h pp n t r r mi ht 

m nin 1 . n mpl on i r th rri lr 1; 1 t to. mo 1 o th 

ption (th ormul th t ri th lever) n n mo 1 o th initi 1 
p i tion. uppo th t t om tim point t m t 2up th lever not 
pu h n i y m i in t + 1 it t 2down. n r ith m t t (i. . 
to t 2up 11) th n o viou ly th y i r t t + 1. Mor ov r v n i m 
h v P t t r t it ill i r ith n n th i r m nt r 

m nin 1 u th y r th r ult o lr t lr pp n t t. hi u t 

th t nt to t om point tim. r th int rpr t tion n lr th r 

it oul lr v in th m y. lr r or morphi m t n int rpr t tion 

r un tion th t hoo or lr tim point o th om in int rpr t tion 
tim point in th o om in th t ti tly th m ym ol th om in 

t th t point, hi r pr nt th i o uppo in th t m n; n th n 
omp r th ti ility o th propo ition 1 ym ol t th n t point . 
olio in thi i morphi m t n int rpr t tion r monotoni un tion 
ft N N n lr th t or v ry tim point t n v ry ym ol p to. Ib t p i n II ~h(t) 

p n lr lr th r to. Ib t+ i p i n Ibh^+i p in or r to ho mu lr m 

n n i r. 

noth r pro 1 m ith th t nition o th pr -or r i th t it lo th 
o urr n o th tion th t h n th h viour o th initi 1 p i tion 

li th tion o pu hin th lever. ith th t nition th minim 1 mo 1 o 

th rri lr 1 ith th lever oul th on lr r th lever i n v r pu h 

hi i hi hly un ir 1 in nt to 1 to pu lr th lever h n v r 

lli ( lr n v r th r i n m r n y) . hi u t th t only nt to 
omp r int rpr t tion th t lr v th m o urr n o tion t th m 

tim point .0 v r thi u om pro 1 m lr n omp rin int rpr t tion 

ith tion th t lr v n lin on ition pi in lo . N v rtlr 1 

lr v to tr t tion i r ntly rom th ttri ut in th minimi tion pro 

n plit lr i n tur £ in t o i joint t on or th tion £Act 

th t nnot minimi n noth r t £au or th ttri ut . lr 1 n u 

on i r i uilt rom th i n tur pi in or . 

Definition 2. A in tur is a pair of disjoint sets £ ^Acti^Att), where 
£ Act is the set of actions and £au is the set of attributes (or observations) . 

impo th t omp r 1 int rpr t tion r t th r t in t nt i. . 

uppo th t th y ti y th m ym ol t th in t nt 0. lr r on or 

thi r tri tion i th t lr n lr v y t nr no th initi 1 t t n 
r int r t in th y it volv ; y t nr ith i r nt initi 1 t t ill 
o viou ly i r nt n th m nin o th omp ri on i un 1 r. 

n no y lr t r th morphi m t n int rpr t tion . ir tly 

intro u om not tion. t ft. N N p rti 1 un tion n t N 

n tur 1 num r. lr n 

ft.(f) m n th thi un n t t; 
h(t) m n th t ft i n t t; 




34 Sofia Guerra 



h(t) m h(t ) N t t n h(t ) i th im o th r t t 
tim point 1 or qu 1 th n t t hi h th un tion i n 

h i o th morphi m i to r 1 t t o t mpor 1 int rpr t tion m n n 

th th v th m initi 1 t t (th y ti y tly th m ym ol t 0) in 

y th t or lr in t lit t A tim point £2 i ho n in monotoni y u h 
th t th int rpr t tion om in m t t\ ti tly th m ym ol th 

int rpr t tion o om in n t £ 2 - hi hoi i p rti 1 to llo h r u h 

t 2 o not it. lr on ition r orm lly pr y th olio in 

nition 

Definition 3. Let £ be a signature and m and n be two temporal interpretations 
over £ . A morphi m h m n is a partial function h N N such that: 

- h{ 0) 0; 

- for all t\,ti N, if t\ < ti, h(t 1 ) and h(ti) then h(t\) < h{ti); 

- for all t N, if h(t) then for all p £, m lb t p iff n Ib^p) p. 

t u loo t n mpl o morphi m t n t o t mpor 1 int rpr t - 

tion . 

Example 1. t £ (£ Act ,£ Att ) i n tur lr r £ Act n £ Att 

p . on i r th pr ion G p but X->p. 

t m £-int rpr t tion uhthtmlbjp or 11 t 1 n n th £- 
int rpr t tion u h th t n lb t p or 11 1 N. h n h m n n olio 
i t mpor 1 morphi m 

h{ 0) 0; 

h( 1) ; n 

h(t) t — 1 or v ry t > 1. 
hi morphi m n r pr nt y th i r m lo . 

v 

m • - 

y 

n • - 

p 

hi morphi m Ion to th 1 o morphi m ho om in ti 

X.->p n ho o om in ti G p i. . h Mor(X-~>p,Gp). Not th t t 

tim point 1 th un tion h lr to un n th r i no point in n th t 

ti - 1 p. o v r th hoi or th oth r tim point r t r th n 1 r 

r itr ry r th y r monotoni . ho thi morphi m mon v r 1 

oth r po i iliti thi ill minim 1 in Mor(X.^p,Gp) h n n th 

pr -or r on int rpr t tion morphi nr . n t thi morphi m ill 1 o Ion 
to th 1 Min(X.^p,Gp) n lr n m lb Gp but X-<p. pr nt th proo 
th t thi i minim 1 morphi m in th pp n i . 

No th t lr v n morphi m t nt mpor 1 int rpr t tion 
n r turn to on i rin th notion o ‘ lo n in or r to t th pr -or r 
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Concordance on Initial States lthou h nnot n th pr -or r y t 
t in into ount th pr viou on i r tion no th t only nt 

to omp r int rpr t tion ith th m initi 1 t t . n h m ns 
h to n impli 

1 . p S. m I Fq P i m I hg p. 



Minimisation of Discrepancies uppo h .to n i morphi m t n 

tot mpor 1 int rpr t tion . m ‘n r n it oul h v t v ry tim - 

point in th m y n i n t imil r t t . i r p n i r th 

h n thi o not h pp n. 

Definition 4. Let £ ( £Act,£Att ) be a signature, h m n be an interpre- 

tation morphism and t N a timepoint. We say that there is a i r p n y at 
time t between to and n according to h, written m h tn, if h(t) is defined and 
there is an attribute r £au such that 

(m.Wt+ir andnVf h (t) +1 r) or (m \\- t+ i r and n lh h ( t)+1 r). 

hi notion o i r p n y pr th t th t i th int rpr t tion n 

t th t t th t m i t om in t nt t it oul h v in i r nt y. hi 

p n on th morphi m h th t lroo rom n n in t nt to omp r ith m 
t th in t nt t y nition o morphi mi h m n i morphi m th n 



to. ti 




t t 


tly th m 


ym 


ol n t h(t). lr r 


i i 


r 


P 


n 


y 


t t i th 


y 


pro r 


in i r nt 


y 


t th olio in 


in t nt 


t + 1 


or 


m 


n 


h(t) + 1 


or 


* n th 


y 


ti y i r 


nt 


ttri ut . hi 


notion o 


i r 


P 


n 


y 


i 


oin to 




u to 


n th pr - 


or 


r t o int rpr t 


tion r 


‘n r 


r 


i 


th 


y 


lr v 1 


i 


r p n 


i 


. t i th ju 


ti 


tion or un p 


t i 


r n 




t 




n 


morphi m . 
























h 


777 


n 


n 


h to. 


n 


r morphi m 


nt 


to no 




i 


m 


i 


lo r to 


n 


( or 


in 


to h) th n 


to. to n ( or in 


to h ). 


h m 


in 


i 




i 


to minimi 


th i 


r 


p n i . 


oul y th t i h 


to n 


e h 


m 




n 


n th r 


i 


i r 


* P 


n y t t t 


n to n n th n 


th r i 


1 o on 




t 




n 


man 




t th 


m 


in t nt t 


N 


i to. h tn th n m h tn ■ 












h pro 


1 m 


ith 


thi nition i 


th t i to i 


not h 


V 




P 


t 





or n in t nt t th t llo it to r ith n it nt to. i lr v 



p t until t hi lr m it i r ith n 1 1 th n oul not on lu 

th r 1 tion nt . hin in in out th rri lr 1 mpl uppo 
h m n n h m nr morphi m m n m ti y lever t th m 

in t nt n th y r t 0. uppo t i tim point lr r m i t 2up n 

th lever i pu lr t t n thi i th r t tim th 1 v r i push . n 

1 o uppo th t or t m ti 11 th ormul o th initi 1 p i tion 
( ithout th lever), n th on ition th r i i r p n y t n to n n 

t t. o v r i to i t down point t t ( u it i not olio th ult 

ormul t om pr viou in t nt) th nthrinoirpnytt t n 
to. n n n oul not pr r th morphi m h to th morphi m h . hi 
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i o viou ly un ir 1 th int rpr t tion to h 1 y h v ir 

ut to h not. o olv thi impo th t i ft to n z ft to n n 



i th r i 


i r p n y 


t n to. 


n n t ft th t 


o not i t 


t n 


m 


n n th 


n th r mu t 


r on 


or thi ith r 


u ft i un 


n 


t t 


or u 


t pr viou in 


t nt th r 


i r p 


n y in ft. th t i 


not 


i t 


in ft. hi 


iv ri to th 


olio in 


on ition th t 


to th pr 


viou 




lr y h 


i ft to n 


s ft to. 


n th n 








2. h 


N. ((to. h tl n 


h' 

to. tl n 


ft (*i) ) 










ri 

(3*2 < * 1 - (to t2 n ft(t 2 ) 


( h ' 

(to t2 n 


hit 2 ) )))). 







Synchronisation of Actions i th t th o urr n o tion houl 



not lo 
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th minimi tion pro 
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oin 
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ult . h 
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Example 2. 


on i 


r li r ry ith oo 


h oo o 


th 


li r 


ry n 



v il 1 to t a y u r. h ttri ut available m n th t oo i 
v il 1 to t n y u r. oo n taken h n it i available hi li 
m it not available, imil rly oo n returned h n not available hi h 
u it to available in. 

uppo no th t nt to on i r r rv oo li vin th 

prop rty th t th y m y not t n out o th li r ry. n thi li n th 

oo i suspended it top in available until it i resumed in. 

h i n tur or thi p i tion i £ (£A c ti £au) h r £Act taken, 
suspended.returned, resumed n £au available . n th t o ult 

D o thi p i tion ill in lu 

G(taken available) 

G(taken X^available) 

G(available ->taken Xavailable) 

n th olio in ill in lu in th ption th t ri th r rv 

oo 

G(suspended available) 

G(suspended X^available). 
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n th o urr n o th tion suspended houl not r tri t . o - 
v r taken houl only o ur h n available i tru ; available houl n 

n n lin on ition or taken. u t rli r t o morphi m r 

only omp r h n th ir int rpr t tion orn in h v th m o urr n o 
tion o not lr v y o pr rrin int rpr t tion in hi h taken o ur 

only lr n available i tru . 

ho in th pr viou mpl tion th t r 1 y n 1 i. . 
tion th t o not h v n lin on ition houl not lo v n i th y 

r or u in on i t n i ith th ult . o v r i th ult r tri t 
th ir o urr n th on ition houl t n into on i r tion. n or r 
to o th t impo th olio in in th h r th r r no n lin 

on ition or th o urr n o tion ill only omp r morphi m i 

th ir om in lr v th m o urr n t th m tim point . th om in 

o t o morphi m h n h o not ti y th m o urr n o tion t th 

m tim point th morphi m r omp r 1 only i th r r on or 
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n th 


0 urr 


n ith r 
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in pr viou 
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^ Act 
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(m lh tl a 


m lb tl a) 














02 


< t\. 


(m 


h' 

*2 n 


h (t 2 ) 
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ym. t2 n 
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Surjectivity and Weak Abstractness o n th pr -or r th r r t o 
urth r on ition th t n to impo . nt minim 1 morphi m to 

n po i 1 ompl t ly un n un tion o not lr v ny 
i r p n y. n in th m y i ith th o urr n o tion in 

on ition 3 n 4 i h e h n th r i tim point t\ u lr th t h(t\) n 

h (t i) th n th r r on or it n m ly th r tim point <2 or 

t\ t hi h th r i r p n y th t i not o ur in h or t th t point 

h(t 2 ) n n h (t 2 ) un n . hi orr pon to on ition 5 o 

nition 5 lo . 

hit on ition o th pr -or r n ur th t th morphi m r ur- 
j tiv po i 1 ; thi lr r ult th t i ntiti r minim 1 n th t ny 

minim 1 morphi m i urj tiv . n thi y th on ition o tr tn 

i v ri . llo non- urj tiv morphi m to minim 1 th n oul 

lr v t o int rpr t tion lin y n r nr nt th t oul not ti y th m 
ormul . n th point o th o om in int rpr t tion th t r not m pp y 

ny point o th om in th int rpr t tion oul ti y i r nt propo ition 1 
ym ol th t oul r ult in th t o int rpr t tion not ti yin th m 

ormul . h orm 1 nition o th pr -or r i th olio in 
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Definition 5. Let E (EAct, ^Att) be a signature, and h m n and ft 
to n be interpretation morphisms. We say that h m n s h m n 

iff: 

1. p E. TO. lb o p iff m lb o p; 

h 

2. t\ N. ((to. txTi to tl n h (ti) ) 

(3t 2 <t 1 .(m t2 n h(t 2 ) (to h t2 n h (t 2 ) )))) 

3. a EAct ■ ti N. (to lb tl a to. Ib (l a) 

((3t 2 < fi- (to t2 n h (t 2 ) {m h t2 n h{t 2 ) ))) (ft(fi) h (ti) )) 

a EAct- ti N. (to lb tl a to. Ib tl a) 

((3t 2 < ti. (to. t2 n h(t 2 ) (to. 71 t2 n ft. (t 2 ) ))) (ft(ti) ft (ti) )) 

5. ti N. ((ft(ti) ft (ti) ) 

(3t 2 <t\. (m t2 n ft(t 2 ) (m h t2 n ft (t 2 ) )))) 

6. ( t N. (m h tfi iff to h tn) (ft(f) iff ft (t) )) 

( f N. ((3ti N. ft(f — 1) < ti < ft(f) p E. (to lb t p iff n lb tl p)) 

(3t 2 N. ft (t — 1) < t 2 < ft (t) p r. (to Wtpiffn lb t2 p))). 

o urn up only omp r morphi m i th orn in h v th m initi 1 

t t (on ition 1). h minimi tion o th i r p n i i pr y on i- 

tion 2. hi r ml hronolo i 1 minimi tion [11 hr ult in rli r 
in t nt h v hi lr r priority th n th on o urrin 1 t r. o v r om o 

th pro 1 m ith hronolo i 1 minimi tion o not o ur lr r or mpl 

it oul po tpon th o urr n o th tion or v r. on ition 3 n 4 

m po i 1 omp ri on o int rpr t tion only i th m tion o ur t 

th m tim point (uni th r r on), lr ymm try o on ition 

3 n 4 i y o voi in lo o th o urr n o tion . Mor ov r 

pr r morphi m ‘mor n n ‘mor urj tiv ( on ition 5 n 6 
r p tiv ly). hi r 1 tion i in t pr -or r n it v ri th on ition 

pr nt in th pr viou tion. n p rti ul r th on ition 0- ymm try n 
0- quiv In r ult rom th t th t morphi m ft i minim 1 in z i ft i 
n i ntity [5 . 

oin to our mpl It E EAct, Eau th i n tur ith 

EAct P us h n Eau 3down, 2down, ldown, lup, 2up, 3up, lever . lr v 
th t i to i mo 1 o th t t on tr int n to lb D but E th n to i on 

0 th ir mo 1 i th h ir i t 3down 2down or t 3up or 2up ut th 

nr r n y lever lr not n pu lr th n it lr v or in th lever; 

1 th lr ir i t ldown or lup n th lever h n pu h it top ; i it i t 
2up or 3up n th lever h n pu h th n it lr n ir tion p i 

in th ormul . hi r m or n t n to th n r 1 

ith v r 1 ult ith n r itr ry pr n t n th m [10 5 . 
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4 Concluding Remarks 

n thi p p r pr nt r m or or p i tion ith ption or o t- 
r y t m th t volv ov r tim . hi r m or i on th notion o 

ult in titution [10 hi h llo p rti 1 r -u o p i tion mo ul . lr 

m nti i p r m t ri y notion o i t n t n int rpr t tion . 

propo t mpor 1 in t nti tion o thi r m or hi h on i t o 

th u u 1 propo ition 1 lin r t mpor 1 lo i ut h r th notion o morphi m 
t n int rpr t tion i h n n it i t n ith pr -or r t n 
th morphi m . hi notion o or rin t n morphi m o int rpr t tion 

i u in or r to 1 ith non-monotoni ity in p i tion n y 

ri in p i tion o r tiv y t m throu lr th u o t mpor 1 lo i 
ription n in lu ult n th t mpor 1 r m or provi m nti 

or tiro p i tion . illu tr t th v lop orm li m ith n mpl 
hr pi tion i r u ut h r th n h viour ontr i t th ini- 
ti 1 p i tion. n thi mpl th initi 1 p i tion i n ult to 

hi h ption r voi in th n ity o ritin th lrol p i 

tion rom th innin . hi r m or h n 1 t mpor 1 ult p i tion 
in y th t it olv om o th pro 1 m o pr viou or in th r [16. 

urth r or i n in or r to tu y th ppli ility o thi r m or . 
ir tly thi oul n r li to r multi- ort r t-or r t mpor 1 

lo i or to oth r mor po r ul 1 n u . Mor ov r it i n ry to tu y th 
1 ility o thi orm li m n th v lopm nt o 1 oritlrm to omput th 

mo 1 o ut in y imil r to th or on or r t-or r lo i [10 . 
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A Example 1 (Proof) 

ir tly uppo th t h m n i morphi m in Mor(X.^p,Gp) n th t 
h £ h. ho tli t h % h y h in th on ition o th pr -or r 

1. on ition 1 2 n 3 r tru in y hypoth i h e h. 

2. on ition 4 i tru u th r i no tim point t u h th t m h tn n 

C yd 

m t n m tn i t 0 hi lr impli m tn . 

3. t h(t) 1 t h (t) n th n on ition 5 i 1 o v ri 

4. on ition 6 i tru u or 11 1 N th r i no f u h th t h(t — 1) < 
t < h(t) n p S. m Ihf p i n lb t . p. 

n th oth r ir tion uppo th t to i not in th on ition ri n 

It h m n morphi m in MinfX.~<p,Gp) ho om in i m. 

to I F o P i impo i 1 in hi morphi m n in nib G p lr v th t 

n I bo p n to I bo p. 

to I b i p i impo i 1 in to. i mo 1 o X^p. 

3t > 1 ith to. lb** p ( hi lr impli h(t ) ). n thi on ition prov 
th thi not minim 1 ontr i tin th hypoth i . t h to. n th 

morphi m u lr th t 
n lb t p or 1 It N; 

to. Ibf p i p N — 1 ; n 
h{ 0) Oh (1) n h it) t— 1 or t > 1. 

h v n h £ h. o th t thi r 1 tion i tri t i. . th t h. ^.£ h 
not th t 

h ^ 

i h (t — 1) th n to t*-in n to. t*-i n ■ Mor ov r t < t — 1 i 
h h 

to. t n n h[t) th n to n t n h (t) . n it il on ition 4. 

n th th t h (t — 1) it il on ition 5. 
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Abstract, n the p e ent p pe we gene lize two un ment 1 y tem 
mo oiling the flow o time the mo 1 logi . n p opo ition 1 line 
time tempo 1 logi . e flow to on i e whole et o t te in te 

o only ingle one t eve y time. Mo eove we time th t the e et 
in e e in the ou e o time, hu we get i o m li m exp e ing 
i tingui he yn mi pe t o et g owing, u m in e ult in lu e 
completeness o the p opo e xiorn tiz tion n decidability o the et 
o 11 o m lly p ov le o mul . 



1 Introduction 



u qu ntl w r on rn w th t nr ng n th our o t m . h 
v r g n r 1 ppro lr or th mom nt r m work o th k n tu 11 o ur 

n m n 1 o omput r n . M th r r w 11 th nk o grow ng g - 

om tr o j t r t. t n t w 1 tt k urr nt pro 1 m o r r lr 

to g t n qu t p t on 1 ngu g nor r to r on out u ho j t 

orm 11 . 



noth r x mpl t m rom th ont xt o mult g nt t m . h to 
t t r pr nt ng th o n g nt nvolv n u h t m lr ng 

ur ng th t m runn ng. n p rt ul r th g nt lr r 

n wlr 1 runn ng t tu 11 nr ; ] . n t th 

1 ngu g w ntro u low or g n t rom th knowl g th or t ont xt 
n orr pon ng r t n n t (wh h how v r rv 

noth r purpo now qu nt ng n t ). 

ow t po 1 to tr t n r ng t orm 11 ? lr ppro lr w t k 

on p wh lr on t o th to urr ng n th our o t nr r p- 

r nt th m nt 1 om n o n ppropr t 1 ngu g . ur m to prov 
hr t r z t on o th v s th n . . th ormul hoi ng un r 11 u h 

r um t n ; mor ov r w r nt r t n th Igor thm prop rt o 

th r ng log 1 t m . 



T. Rus (Ed.): AMAST 2000, LNCS 18r6, pp. 4r-56, 2000. 
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e nh 



emem nn 



ow m u h t m look lk? h th po nt wh r on h to m k on 

lio . ur t rt ng po nt rt n tt ng th t h n ntro u 

w r go 3] . t m t s 1 n ptur s 

0 t t 1 t. hu t o r to our top . 2 o or onv n n o th 

r r w m nt on th v r tur o th t m v lop n 3]. n 

th mpl t two mo It r nvolv th r n on gn t wh h 

qu nt ‘lior zont 11 ov r th 1 m nt o t n noth r on □ wh h 

qu nt ‘v rt 11 ov r rt n o t u t xpr ng r n th w . 

h two mo It lontrt(nthrulrptvl). h nt r t on 
p n on th m nt 1 tru tur to x m n . t h 11 ng ng t k n 
g n r 1 to r th nt r t on x om t 11 . 

vrll os s s..pr(, ) u h th t non mpt t n 

t o u to h v n tr t on th o th ju t n t 

s s s up to now; 6] or om x mpl n t on 

to 3] . n v wo wh t ollow n th on p rt o th r t 1 t u m nt on 
p rt ul r v r t on o wh r hr nk ng o t pro ns s s; 

10] n 11], 

n th pr nt p p r w u 11 1 w th th o t . mo th 

nt rpr t t on o th □ op r tor o th log o t p ppropr t 1 . t turn 
out th t th n w tu t on not qu t m 1 r to th t o topolog 1 mo 1 
log th r ult r v n mor t tor hr u w g t m nt 1 

ompl t n x tl w th r p t to th nt n 1 n r tru tur ; ontr t ng 
w th th 11]. 

h o w on r tmouhgnrltp? w nt to prov t t 

pr ntl our ppro h qu t or 1 ng w th pli nom n n t 

th ov x mpl li r nt on . u to th u o th p p r w 
1 th t our tt ng n t prom ng. ng urth r op r tor n turn ng 

to n r tru tur m nt 1 om n t li n on w th th ‘ 1 1 

t m m nt on t th g nn ng p 1 purpo t m ppl 1 n ‘r 1 

1 houl r ult. 

h outl n o th p p r ollow . ntro u log 1 1 ngu g 

wh h 1 to p k out th growth o s t . li on n two w 
r t onl th mo 1 op r tor n □ r pr nt n th ommon log 
o t p .ut th □ op r tor qu nt ‘upw r ov r t now n t 

0 th u u 1 qu nt t on ‘ ownw r on r n th log o t p 

n th nt x n th m nt o th 1 ngu g pr 1 n g v 

1 t o x om wh li r v 1 n 11 o th nt n m nt 1 om n . 



prov ompl t n o th g v n x om t z t on t rw r wh li turn out to 



‘n rl 


non 1 . li log 


hown to 


1 0 


1 . n t th o 


M ny ye 


go e t in onne tion 


etween mo 


1 logi 


n topology h ve 1 e y 



een i ove e ; ee 12 . e ently they h ve een utilize loo p ti 1 e oiling; 



ee 1 . 

he e e i e ent o m li m o omput tion 1 logi e ling with yn mi pe t 
o et well ut h ving othe m in point o empli i ; ee 9 o in t n e. 
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ene lizing the Mo 1 n empo 1 Logi o Line ime 

11 s y hoi ; . . v r ormul 3 th t not th or m 

n 1 n n t mo 1 o th x om ; urth rmor th z o th 

mo 1 p n omput 1 on th 1 ngth o . n th on p rt w 
th w 11 known op r tor o n to 1 ng th r 

gnrlztono In rtm t mpor 1 log h 1 tt r t m w 1 u n 
omput r n p 11 or v r ng on urr nt progr m . 1 w th th 

m qu t on n th r t not n n logou r ult . ut t hn 1 

on rn om mor ompl t now u to th pr n o th t on 1 

mo It ; .g. w h v to work w th u t 1 ltr t on lr n th our 

o th ompl t n proo . 

h p p r r qu r qu nt n o th r r w th th o propo t on 1 

mo 1 n t mpor 1 log ; .g. non 1 mo 1 n ltr t on t hn qu r 

ppl r qu ntl ; th t xt ook 1] n ]. n p rt ill r P rt n n 
P rt wo o ] uppl nough kgroun . p 1 m t w li v to 

om t m n t 1 p 11 n proo . 

2 The Language 

h n t on o th sy o t rt t u t 1 ( n t ) lph 

n p rt ill r n 1 on to n r ur v t o s v 

li t o s n th m 11 t to tr ng 

th ollow ng 1 u 

. n , € , , □ , ( A ) G 

om t r k t n u r v t on t u u 1; urth rmor wit 
= n O = □ 

h to n th s so ollow . woul 1 k to r 

th growth o g v n t . hu rt n up r t o h v to on r 
n th orm 1 mo 1. on qu ntl w t k un v r n wli li 11 th t 

r ont n n th t m o th t th ngr nt o nt r- 

pr t ng ormul wh h on w.r.t. truth v lu gnm nt to propo t on 
n w w 11 on r rt n tr pi ( , , ) r 1 v nt tru tur wh li 

r p th u qu nt n t on. 

Definition 1. y s 

T { , ) s 

2 s s s lnr s 

( , ) s s 

T s v lu t on 

In r mo 1 

3 o mul e e ign te y lowe e eek lette u e uently. 

e look upon (not ne e ily i ete) en ing h in mo tly. 




t wh h 
s V. 
t ng 
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e nh 



emem nn 



r go ng to nt rpr t ormul n mo Its sou trm 



wh h r 


mpl 


p r 


,U ( 


gn t 


w thout r k t 


mo tl ) 


u lr th t 


£ U £ . 


h 


t U m 


ur ‘ 


t n 


to th po nt . 






Definition 2. 






( > , 


) s 


,u 


( , ) 


v T 






£ 




, e 






,u 


M 




( , 


) i 








,u 


M 




,U 


M 








,u 


M 


A 


,U 


M 


5 u M 






,U 


M 




,U 


M 


£ U 






,U 


M 


□ 




M 


D U 






n 


,U 


M 


v 1 w 


th 


t s 


s 


M: 



mor ov r th ormul £ s ( not M ) t liol n 

t v r tu t on. th r no m gu t w om t th n x u qu ntl . 

t u t r m ( , ) g v n 

N n 0, , n n £ N 

Mor ov r 1 t N n r tr r u t. n v lu t on ( , ) 

1 £ or 11 £ n £ N. lr n th h m □ lrol 

n th r ult ng In r mo 1. lr u to th t th t th tu 1 nt 1 

gm nt o N nt r t th n th v 1 or 11 u qu nt on (wlr lr r 

n t 1 rg r). 

n or n w th th nr o th p p r outl n ov w on ntr t on 
mo 1 u qu ntl . pr nt 1 t o x om wh h lrol n 11 1 n r 
mo 1 on n 1 

Axioms 

(1) 11 n t n o propo t on It utolog 

( ) ( ) ( ) 

(3) 

( ) 

( ) 

(6) ( □ )A( □ ) 

( ) □( ) (□ □ ) 

( ) □ 

(9) □ □□ 

( 10 ) □(□ ) □(□ ) 

( 11 ) □ □ 

or 11 £ n , £ or onv n n 1 tu gv om omm nt on 

th x om . h r t lr nr m propo t on 1 log n th tu 1 t m. 

h n xt group o x om on t ng o th lr nr ( ) ( ) w 11 known 

rom th ommon log o knowl g o ngl g nt. n t rm o mo 1 log 




ene lizing the Mo 1 n empo 1 Logi o Line ime 5 

(3) ( ) xpr th prop rt o r fl x v t tr n t v t n w k mm tr 5 

r p t v 1 o th mo 1 1 1 r 1 t on; omp r 1 o h m ( ) n (9). 

n th n x om (10) orr pon to ss; . . g v n r tr r 

po nt , , o u u 1 r pk r m ( , ) u h th t n th n 

or or lrol th h m v 1 n ( , ); pr ntl t r pon 1 

or In rt n onn ton w th (11). h group o x om nvolv ng onl th 
□ op r tor ompr t noth r p ul rt th h m (6). t llow u to 

n th m nt n th w w ov n m 1 m n o tu t on 

w thout xpl t r r n to t m 6 ut t mpl th t th t m to n 

mm t 1 not lo un rut tut on; r g r ng ont nt (6) th t w 
um th tom propo t on to ‘ t 1 or ‘p r t nt . n 11 th h m 

(11) om n ng oth mo It o t w th th growth o t . 

ng th ollow ng rul w g t u tv t m gn t GS. 

Rules 

(1) — (mo u pon n ) 

( ) ( n t t on) 

(3) (□ n t t on) 

n th n xt t on w how how ompl t n o th t m w.r.t. th 1 o 
In r mo 1 n o t n 



3 Completeness 

o prov ompl t n o th t m GS w.r.t. In r mo 1 w u t 

xt n v 1 . h mo 1 orm n th u u 1 w ( ] ); . . th 

om n o on t o th to 11 m x m 1 GS on t nt to ormul 
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Abstract. In this paper we present two different approaches used in 
specifying a well-known audio control protocol with real-time charac- 
teristics. The first approach is based on Circal, a process algebra that 
permits a natural representation of timing properties and the analysis of 
interesting aspects of timing systems. The second approach is based on 
the Timed Interval Calculus, a set-theoretical notation for concisely ex- 
pressing properties of timed intervals. The comparison between the two 
approaches shows that they are almost complementary: the former al- 
lows an easy modelling of the most procedural aspects of the protocol and 
provides a fully automatic proof but cannot catch all timing aspects; the 
latter allows easy modelling of all timing properties but the proof is quite 
hard and cannot be fully automated. This suggests a decomposition of 
the proof into subproofs to be performed in different proof environments. 



1 Introduction 

h s stu y p s nt in this p p is tim -s nsiti u io ont ol p oto ol 

lop y hilips. his p oto ol is int n to us in utu high lity 

syst ms wh ont ol sign Is p ss tw n th ious ompon nts o th syst m 
su h s n mpli pi y s sp k s io t . i us. h p s n 

o su h ont ol n two k s ition 1 tu s to th syst m ut m k t 
o s qui th t this xt un tion lity is hi t minim 1 osts with 

minimum o ition lit oni ompon nts. Most o th mo ul s in su h n 
u io syst m ont in mi op o sso n it is th s mi op o sso s whi h will 
us to lis hop ully o ust ommuni tion m h nism tw n th m. 

h p oto ol is n impo t nt n hm k s stu y whi h h s h 11 ng 

num o o m lisms. sion o th p oto ol with only on s n n 

on i w s p iously sp i n n lys y oss h t 1. 2 using 
lin hy i syst ms. n su s qu nt p p s y oth utho s p op ti s st t 

n p o y h n 2 h n utom ti lly i y using mo 1 h king 

s tools su h s onos y h 11 pp 1 1 13 n th i 1 yst m 
5 n th o m p o s su h s th L h o 10 . ntly th p oto ol 
h s n mo 11 in 1-tim p o ss lg y h n who h s us w k 
isimul tion to m nu lly i y its impl m nt tion g inst its sp i tion 7 . 

T. Rus (Ed.): AMAST 2000, LNCS 1816, pp. 57-72, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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n th u nt p p two y i nt pp o h s us in sp i ying th u- 

io ont ol p oto ol i tly omp . n th st pp o h 5 th p oto ol 
is mo 11 using th i 1 p o ss lg . lthough i 1 1 is is t 

o m lism it p mits n tu 1 p s nt tion o timing p op ti s n th n 1- 

ysis o int sting sp ts o timing syst ms 5 6. h utom t i tion 
o th p oto ol is nti ly p o m within th p o ss lg m wo k using 

mo 1- h king t hniqu without ou s to t mpo 1 logi . 

n th s on pp o h th p oto ol is mo 11 using th im nt 1 

1 ulus ( ) 9 . h o m 1 i tion h s n i out y h n ut it 

is u ntly ing utom t th ough n impl m nt tion o th im nt 1 

1 ulus within th go th o mpo 3 . 

show th t th two pp o h s ompl m nt y in t ms o ompl xity 

o th sp i tion. h s n n sily sp i in n lgo ithmi shion 

using th p o ss lg ut qui s th nition o ompl x in st u tu 

to uil up th xiom ti sp i tion in . On th oth h n th tim 
s o ing y th i n imm i tly sp i in ut is ompl x 

in i 1. Mo o th p o ss lg nnot h t is lin o th 

o ing u to th st t xplosion us y th ti k tions wh s lin s 
n t i i lly n in . in lly th o tn ss p oo is simpl n n 
ully utom t in th p o ss lg wh s is quit ompl x in 

2 Description of the Protocol 

h p oto ol o ms p t o th physi lly o n int us th t int - 

onn ts th ompon nts o st o syst ms. M ss g s whi h onsist o nit 

s qu n s o 0 n 1 its no y s n into tim t nsitions o th 

olt g tw n two 1 Is on th singl wi us onn ting th ompon nts. 
i s in ompon nts tt h to th us int p t th olt g t nsitions n 

onst u t th itst m m ss g s. h s n s n i s un on i nt 

mi op o sso s. in th mi op o sso s un o in ition to th p oto ol 

so tw s n n i lo ks m y not syn h onis in qu n y. 

st i t ou x mpl to only two p o sso s ommuni ting o us 

on s n n on i h with its own in p n nt lo k 2 . n this w y 

p o 1 ms o us ollisions u to i nt s n s s n ing t th s m tim 

oi . Iso suppos th t th 1 y on th us is n gligi 1 n th t th 
s n t nsmits just on m ss g . 

igu 1( ) p s nts this i w o th p oto ol. h s n p o sso o 

th u io ont ol p oto ol pts m ss g om us whi h it th n t i s 

to s n to th i p o sso o th us. m ss g is no y th 
s n o ing to M n h st n o ing s h m whi h is n lgo ithm o 

onst u ting us sign 1 qui 1 nt o th m ss g . h tim flow is p s nt 

s s qu n o slots o th s m 1 ngth Qs (wh Qs = 2.22 10 -4 s 
in th hilips p oto ol) n h it o th s qu n is s nt y th s n s 

olt g 1 It nsition in th mi 1 o slot it 0 is lling t nsition n 
it 1 is ising t nsition (s igu 1( )). 
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Fig. 1. ( ) h u io ont ol p oto ol; ( ) M n h st n o ing ising n 
lling olt g 1 It nsitions; ( ) M n h st no ing ition 1 1 nsitions. 



ssum th t th olt g 1 1 on th wi is low o th m ss g is 

t nsmitt n is s t to th low lu t t nsmitting. h n n i nti 1 
it is s nt twi in ow n ition 1 t nsition is t th oun y 

tw n th o spoil ing slots (s igu 1( )). 

in lling t nsitions t k signi nt tim to h ng orn high to low 
1 1 th y o not pp to th i s g s (s igu 2( )). ons qu ntly 

th i nos only ising g s n li s to onst u t th itst m 
m ss g orn th 1 ngths o th tim int Is tw n su ssi ising g s 

(s igu 2( )). h i os not know wli n slot st ts so th is 




Fig. 2. M n h st n o ing ( ) physi 1 sli p o th g s; ( ) th i 
int p ts th ising g s. 



pot nti 1 m iguity in int p ting th st t o m ss g . h i nnot 
istinguish tw n n initi 1 0 whi h woul no s slot with ising 
g t th st t n lling g in th mi 1 n n initi 1 1 whi h woul 

n o with ising g in th mi 1 o th slot, his p o 1 mis sol 

y imposing th ollowing onst int on th input 

CO y m ss g st ts with th it 1 

u th m iguity is s om th loss o lling g s u ing t nsmission. 
h i nnot istinguish s qu n 10 om 1 t th n o m ss g . 
n this s th only i n is in th timing o th n 1 lling g whi h 
nnot os y th i his p o 1 m is o om y imposing th 

ollowing onst int on th input 

Cl y m ss g ith h s n o 1 ngth o ns with 00 
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L t a th s qu n o th its th t h 1 y n o t t in 
point in tim . only th 1 st ising g on th wi h s still to o t 

th t tim n it is int p t sou ing in th mi 1 o slot th n th 

o m ss g is crlO wh n a h s no 1 ngth n is a 1 wh n a h s n n 

1 ngth. o th m ss g n o without m iguity. 

us o th it tw n th s n n i lo ks th ist n 
tw n su ssi ising g s m su y th i is in g n 1 i nt 
om th t m su y th s n . h p oto ol h s n sign to hi 
li 1 ommuni tion n in th p s n o this signi nt timing uncertainty . 

h int p t tion o th tim ist n tw n su ssi ising g s will 

0 t p o i th t th i t is h 1 within limits th t p n on th p oto ol 

sp i tion. 

L t us n n upp oun on th tim n o th i to o 

gi n m ss g . in th st it (whi h is lw ys 1) is imm i t ly no i 

th gi n m ss g onsists o m its th n th 1 st it is no y th s n 
t tim (to — 1)Qs- ow th i h s to w it n ition 1 tim in 
o to su th t th n o th m ss g h s n h . tu lly Qs is 

th long st tim th t m y o u tw n ising g s. t o us wh n n o ing 

th s qu n 101. Mo o th it tw n s n n i must t k n 
into ount. p is th tio tw n th s n lo k t n th i lo k 
t th n Qr = pQs wh Qs is th tim unit o th s n ( qu t o 
slot) n Qu is th tim unit o th i h sp i tion o th p oto ol 2 
qui s th t th i t ts th n o th m ss g wh n tim 9Qr h s 

1 ps t os ing th 1 st ising g . h o th upp oun on th 
tim n to o gi nm ss g is (m — l)Qs 9 Qr = (to— 9 p)Qs- 

oti th t th o ing is o t only i Qs < 9 Qr th t is p > |. 



0 



0 


3 5 


err 


0 01 



add 0 
end 



(a) 



0 3 5 7 9 

i err 1 0 loll odd add 0 
end 

(b) 




Fig. 3. ( ) o ing int Is wh n th p iously o it is 0. ( ) o ing 
int Is wh n th p iously o it is 1. ( ) x mpl o m ss g o ing. 



n igu 3w illust t th o ingo th m ss g no in igu 1. h 
tim int Is tw n su ssi ising g s int p t in i nt w ys 
o ing to th lu o th it p iously o . igu 3( ) n igu 3( ) 
n th int p t tion o th tim int Is wh n th lu o th it p iously 
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o is sp ti ly 0 n 1. n igu 3( ) th st ising g is imm i t ly 

0 s 1. h su s qu nt th g s o using th int p t tion 

gi n in igu 3( ). h n o th m ss g is t t using th int p t tion 

in igu 3( ). n this s n ition 1 0 is to th o m ss g . 

ith th int p t tion in igu 3( ) th ition 1 0 is t th n o 

th m ss g only i th o p x o th m ss g os not h n o 
1 ngth. n th x mpl in igu 3 th tio tw n th s n lo k t n 

th i lo k t is p = 1.067. 

3 The Process Algebra Approach 

n this s tion w s i th mo lling o th u io ont ol p oto ol in th 

p o ss lg ppo h. o 1 ity w o not us th o m 1 not tion o th 

p o ss lg ut inst p s nt th p oto ol mo 1 in g phi 1 shion. 

i 1 is p o ss lg with multiw y ommuni tion simil to 12 ut 
with th ition 1 tu th t s 1 tions n pom simult n ously. 

si th s qu nti 1 h iou o p o ss using nit st t m hin 

( M) i g m with t nsitions 1 11 y s ts o simult n ous tions th 

th n singl tions. 11 1 omposition oposssis si yps nting 
ompon nts s ox s with ull ts noting ommuni tion po ts. nt tion 

mong p o ss s is p s nt y onn ting po ts y m ns o ows ( o t 

p ssing) o lin s ( o pu syn h onis tion) 1 11 y tions. i ing o int n 1 

tions is p s nt y n losing ompon nts within ox n llowing only 
ows n lin si 11 y isi 1 tions to go outsi th ox. oti th t 
u to multiw y ommuni tion wh n mo th n two po ts onn t w 
us ition 1 ull ts to join ows o lin s (s igu 5). 

3.1 Bitstream Messages 

m ss g is ily mo 11 in p o ss lg y n st s i s o gu 
p o ss s wh th gu s nts onsisting o singl tions th t n - 

si it 0 o it 1 o th no th m ss g . i nt tions us 
o input n output m ss g . p s nt 0 1 n no th m ss g y 

iriQ in\ n mg sp ti ly in th input n y out q out\ n orttg sp - 
ti ly in th output, o x mpl m ss g 110 is p s nt in th input s 
iniiniinoinE A n in th output s outioutioutooutE A wh A is th t - 
min tion p o ss. h m ss g s th t s tis y onst ints CO n Cl n in 

tion 2 h t iz y th C p o ss whos h iou is n y th 
M in igu . o ss C o s m ss g s to st t with in i ( onst int CO) 
n to 1 to p o m th mg tion only wh n onst int Cl is s tis 
(th t is in st t s Oo Oi n E 00 ). 

3.2 Protocol Physical Components 

h m in p oto ol physi 1 ompon nts th S s n p o ss n th R 

1 p o ss whi h st u tu in u th ompon nts s shown in ig- 
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{mie} 




Fig. 4. o ss C mo Is onst ints CO n Cl. 



u 5( ) n in igu 5( ) sp ti ly. n S th Ii n ompon nt t ns o ms 
y input tion in y y = 0, 1, E into n tion i zy wh 2 is th lu 0 o 

1 o th p ious input it. in y y = 0, 1 is th st it o th m ss g th n 
it is t ns o m into io y . 




( b ) (c) 



Fig. 5. ( ) ompon nts o s n p o ss 5; ( ) ompon nts o i p o ss 
R; ( ) u - ompon nts o o p o ss Dec. 

h Enc p o ss 5 oth n s th s n lo k y m ns o th s n 

ti ks ts longing to h tion s t n g n t s th u n d tions whi h 
mo 1 sp ti ly ising n lling g s. oti th t in p o ss lg tion 

o u n s It y t mpo 1 o 1 tion. h t mpo 1 o is in 

g n 1 p ti 1 o u to th p s n o hoi op to s whi h in u s 

n hing h iou . ow qu ntit ti p s nt tion o tim is not 
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xpli it ut is gi n y int o u ing ti k tions with th impli it ssumption 

th t th ist n tw n two su s qu nt ti ks is x onst nt. how 

ssum th t th ist n tw n two su s qu nt ts ti ks is Q s . h n o ing 

lgo ithm impl m nt y th Enc p o ss is quit simpl 5 . 

h Dec o p o ss whi li is ompon nt o th i is u th 
st u tu s shown in igu 5( ). h TI p o ss m su s th tim o u ing 

tw n two su ssi u nts y ounting th num o ti ks rg n g n t s 

on o th ollowing tions 

£[0,3) > £[3,5) > £[5,7) > £[7,7] > £[7,9) > *[9,9] 5 

wh tion <[ a , 6 ) h t iz s th tim int 1 a, b) n tion t[ ajQ ] h 

t iz s th tim point a, a . 

h II p o ss g n t s th pp op i t o y output tion o y si- 
mult n ous o u n o on u n ith on t[ a ,&) o on fi aa 1 with y 

err, 0, 1, 01, E . tions o err oq o\ oq\ n oe n sp ti ly n o 
it 0 it 1 s qu n 01 n th n o th m ss g . li u nt output 

tion Iso p n s on th p ious output it s shown in igu 3. h o 

th lu o th p ious output it is n o in th st t o th II p o ss. 

Mo o 

— th II p o ss g n t s simult n ously with y og ith n tion eo 

i th 1 st o it is 0 o n tion ei i th 1 st o it is 1 ; 

— th Len p o ss o s y m ns o nts od n ev th o n n 

1 ngth o th p to th m ss g th t li s 1 y n o ; 

— th AcIq p o ss s n ition 1 0 t th n ( tion oo+ o u ing si- 
mult n ously with oe) wh n th t t m ss g h s n n 1 ngth (o - 

u n o tion ev) o ns with 0 (o u n o tion eo). 

h lout p o ss t ns o ms oq into onto 0 \ into out\ ooi into out^outi 
tions t oo+,og into outoontE n og into cmtg. 

3.3 The Constraining Processes 

n ition to th physi 1 components o th p oto ol w n to mo 1 as- 
sumptions on th h iou o th syst m. h ssumptions gi n y th C 

p o ss in igu h t is 11 th m ss g s th t s tis y onst ints CO 

n Cl. s on onst int must h t is th it tw n s n n 

i . n ou n lysis w suppos th t th to th s n n i lo ks 
st y n th o w onsi x to i t. n x mpl o su h 

onst int is mo 11 y th Ds, 9 po ss in igu 6 whi li onst ins th 
t mpo 1 o ing o th rg n tr tions su h th t th ti ks o th 

s n lo k y 9 ti ks o th i lo k. oti th t o ny D s>r p o ss 
s,r N th num o ti ks o th i lo k o s tting to D 0 is t 

most 9 sin this is th m ximum 1 ngth o o ing int 1 (s igu 3). 
ny D s , r p o ss n lgo ithmi lly g n t o gi n lu s s 11 r 5 . 

h i 1 mo 1 P o th u io ont ol p oto ol is n y omposing 
in p 11 1 S R n Z) s>r s,r N n hi ing u d ts n rg s shown in 
igu 7( ). 
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{ts,tr} 





Fig. 7. ( ) Mo 1 o th p oto ol; ( ) onst in input o th p oto ol; ( ) 

onst in p oto ol ompos with th u 



3.4 Untimed Verification of the Protocol 

i 1 llows qu ntit ti p s nt tion o tim in t ms o ti k tions 6 
ut this o t n 1 s to st t xplosion. h o wh n i ying th p oto ol 

in th p o ss lg ppo hw o not s th notion o o tn ss on th 

upp oun o th tim n to o th m ss g . n in th 

notion o o tn ss in t ms o th ollowing p op ti s 

PO h p oto ol is pti to y m ss g th t s tis s CO n Cl; 

PI th p oto ol is pti to m ss g th t s tis s CO n Cl th n th 
m ss g is output un h ng . 

L t PI th p o ss mo lling th input to whi h th p oto ol is pti th t 
is th p oto ol mo 1 with th output hi n. op ty PO is s tis i th 
h iou o th PI p o ss is in lu in th h iou o th C p o ss. his is 
utom ti lly i using th i 1 yst m y t sting th qui 1 n tw n 

th Cpo ss n th p 11 1 omposition o C n PI (s igu 7( )). n 

t th h iou o C in lu s th h iou o PI i PI os not onst in 

C th t is i th p 11 1 omposition o PI n C is qui 1 nt to C . 

h t th t th m ss g is output un h ng n si y th B n 
p o ss whi h is u o p ity n th t pts th kin s o inputs ino 
ini i^E n n pt n input n g n t n output simult n ously. 
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h o p op ty PI is s tis i th h iou o th onst in p oto ol 

th t is th omposition o C n P is in lu in th h iou o B n . his is 

utom ti lly i using th i 1 yst m y t sting th qui 1 n tw n 
th onst in p oto ol gi n y th p 11 1 omposition o P n C n 

th p 11 1 omposition o th onst in p oto ol n th u th t is th 

p 11 1 omposition o P C n B n shown in igu 7( ). 

n p ti i 1 p o ss P in ou s iption is p m t is y th 1 ti 

lo k t s o th s n n i ( xp ss th ough lu s s n r n 

mo 11 y D s>r ). h B n p o ss is p m t is on th p ity n o th 

u . i tion o th p oto ol in th i 1 yst m is i out y t sting 
wh th th two qui In sgi n o s h t is tions o p op ti s PO 
n PI hoi o p ti ul lu s o th th p m t s. t w s oun th t 

th qui Ins t u only i th u siz w s t 1 st 2 n th p oto ol 

p m t s w hos n su h th t 0. 9 ~ | < p = ^ | ft* 1.1 3 5 whi h 

is onsist nt with th th o ti 1 lu gi n in tion 2. 

4 The Axiomatic Approach 

h im nt 1 1 ulus ( ) is - s not tion o xp ssing p op- 

ti s o tim int Is. t is s on ontinuous tim om in T mo 11 y 

th 1 num s. 

im int Is p s nt s th s t o 11 tim s tw n som in mum 
a n sup mum b. o inst n (a, b not s th 1 t-op n n ight- los 

int 1 tw n tim s a ( x lusi ) n b (in lusi ). imil ly o (a, b) a, b) 

n a,b . h sto 11 tim int Is is not y I. 

h p in ip 1 sp i tion tool o onsists o sp i 1 k ts o ning 

th sto 11 tim int Is u ing whi h gi n p it is ywh t u 

9 . o inst n (P- is th s t o 11 1 t-op n n ight- los tim int Is 

I I su h th to h tim t I p i t P is t u t t. imil ly o 

(P) -P) n -P-. ithin p i t P th my o u n so un tions on 

th tim om in th t not ppli to gum nts; th y must int p t 

s ppli to y point in th whol int 1 I 9 . P m y Iso ont in th 

ollowing sp i 1 i Isa not s th 1 t n point o th int 1 lo not s 

th ight n point o th int 1 n 6 not s th 1 ngth o th int 1. 

n \P) = (P) -P). imil ly o \P- (P] -P\ n \P\. 

n impo t nt p ility o is n op to o onn ting int Is n - 

to- n to suppo t soiling out s qu n s o h iou s. h on t n tion 

o two s ts o int Is A n Y is th s t X\ Y o 11 th int Is z su h th t 

th xist two isjoint int Is a: X n y Y with sup mum ox qu 1 

to in mum o y n wlios union is 2 . 

4.1 Sender 

n th xiom ti pp o h m ss g is mo 11 s s qu n o its. h 
sto 11 possi 1 m ss g s is th s t Msg o non mpty nit s qu n s on 
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it = 0,1 . Iso n th s t o th ool n lu s 1 = t u , Is . L t 
head Msg it n head2 Msg Msg th un tions th t tu n 
sp ti ly th st it n th s qu n o th st two its o th m ss g 

odd Msg B th un tion th t tu ns t u i th m ss g h s no 

1 ngth n Is oth wis tail Msg Msg th un tion th t tu ns th 
m ss g without its st it front Msg Msg th un tion th t tu ns 
th m ss g without its 1 st it last Msg it n last-2 Msg Msg th 

un tions th t tu n sp ti ly th 1 st it n th s qu n onsisting o th 

1 st two its o th m ss g . h sto th m ss g s th t m t CO n Cl is 
n s ollows. 

oo Msg = m Msg head m = 1 ( odd m = tu last-2 m = 0, 0 ) 

L t Q = 2.22 10 -4 th onst nt th t not s on qu t o slot 

m su y th s n . s t th in st u tu n ss y o th n o ing y 
int o u ing s t 

Mi lot = t T n N. t — nQ , 

i 1 i oo Msg whi h gi s th input m ss g un tion p T Msg 

whi h os th s qu n o its still to o un tion u T B whi h 

n s th ising g s n th ollowing xioms 

Neg. \co 0-) \head{p) = 0 t-ail(p) = i u = Is ) 

Intvl. (w Mi lot <5 = Q) 

(. V = P(a) (#(p) > 0 => p(u) = t-ail(p)) 

Up. (u = t u ) = 0 

xiom Neg ns un tion p t n g ti tim s y p xing input m ss g 
i with 0. h lu o p t th 1 t n point o n op n int 1 whos ight 

n point is th mi 1 o tim slot n whos 1 ngth is Q is xt n y 

xiom Intvl to th whol op n int 1 (p = p(ct)). Mo o p is n 
t th ight n point s th lu th t will xt n to th n xt int 1 
(p(u>) = t-ail(p)). oti th t th o m lism llows th nition o un tions 
t n points th t o not long to th int Is h t is y th xioms. 

h o xiom Neg is th s n xiom Intvl is th in u ti st p o th 
nition o p. un tion u tu ns lu t u t ny tim wh n ising g 

o us. in ising g s ssum to inst nt n ous xiom Up nsu s 

th t th is no op n int 1 wh u = t u th t is u = t u t isol t points 

only. Mo o xiom Neg nsu s th t no ising g o u s t n g ti tim . 

h n o ing o th m ss g is th n n y th ollowing xioms 

EncOO. -u> Mi lot 6 = 2Q head2 (p) = 0, 0 ) ; -S = 0- 

-tt = tu-;(u= Is - 
-u> Mi lot head2 (p) = 0, 1 = 0- 

-u = Is } ; -u = t u - 



EncOl. 
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EnclO. -u> Mi lot head2 (p) = 1,0 ) ; -S = 0- 

-u = Is - 

Encll. -u> Mi lot S = 2 Q head2 (p) = 1, 1 ) ; -S = 0- 

-u = Is ) ; -u = t u - 

EncNext. (a Mi lot 6 = 2Q^ {u = Is j 

EncEnd. (a Mi lot #(p(a)) 1 <5 > 0^ (u = Is ) 

h st ou xioms n th n o ing o th u nt it t king into ount 

th 1 st it th t h s 1 y n n o . his is on y sampling th lu 

o p on th st li 1 o th u nt tim slot whi li is 2 Q long int 1. 

th it to no is 1 th n in p n ntly o th 1 st no it ising 

g is g n t on th iglit n point o th int 1 whi li is th mi 1 o 

th u nt tim slot ( xioms EncOl n Encll). li n th 1 st no it 

is Iso 1 ( xiom Encll) lling g is g n t t th It n point o 
th int 1 ut o s not n to p s nt . th it to n o is 

0 ( xioms EncOO n EnclO) th n th lling g g n t on th ight 

n point o th int 1 o s not n to p s nt whil ising g is 

g n t t th 1 t n point o th int 1 wh n th 1 st no it is Iso 0 

( xiom EncOO). 

xiom EncNext nsu s th t t th mi 1 o slot th is t 1 st n 

op n g p o 2 Q without ising g s. xiom EncEnd nsu s th t wh n th 

1 ngth o p is not g t th n 1 no mo ising g s m y g n t 

4.2 Receiver 

h output o th p oto ol is xp ss y un tion o T Msg . L t A not 

th mpty m ss g n th in x op to not on t n tion o s qu n s. 

li o ing y th i is simpl t nsl tion o th o ing int Is 
gi n in igu 3( ) n in igu 3( ) into 

DecFirst. -a = 0 u = tu- -o(oj) = 1 - 

Dec03. -u = t u - ; (« = Is 0 ^ S < 3pQ ) ;-u = tu- -o(u>) = X- 

Dec35. -u = t u - ; (u = Is 3 pQ ^ S < 5pQ) ;■ -u = t u - 

-o(u>) = o(a) last o(a) - 

Dec570. -« = tu last o = 0- ; (u = Is 5 pQ ^ S < 7pQ) ; 

-u = tu- -o(ui) = o(a) ^ 0 ^ 1 - 
Dec571. -u = tu last o = 1- ; {u = Is 5 pQ ^ 6 < 7 pQ) ; 

-u = t u - -o(w) = o(a) ^ 0 - 

Dec70. -u = tu last o = 0- ; (w = Is S = 7 pQ) ; (t u | 

-o{u>) = o(a) ^ 0 S = 7 pQ- ; (o = o(a)| 
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Dec791. -u = t u last o = 1- ; (u = Is 7 pQ ^ 5 < 9pQ) ; 

-« = t u - -o(ui) = o(a ) 0 1 - 

Dec9e. -u = tu last o = 1 odd (o) = Is - ; (u = Is S = 9 pQ) ; 

(t u J -o(ui ) = o(a) 0 S = 9pQ) ; -o = o(a)j 

Dec9o. -u = t u last o = 1 odd (o) = t u ■ ; (ti = Is 6 = 9p(3) ; 

(t u J -o = o(a)) 

oti th t th lu o o is unsp i t most points in tim u ing o ing. 

t is sp i only wli n ising g o u s n gi s th s qu n o its th t 

h s n o up to th t point in tim . ow wh n th n o th m ss g 

is t t th lu o o is x to th o m ss g o ny su s qu nt 

tim ( xioms Dec70 Dec9e n Dec9o). 

4.3 Timed Verification of the Protocol 

n th p o ss lg pp o h w h p s nt n untim i tion o 
th p oto ol. n w n son xpli itly out tim n p o not only 

th t th m ss g is o o tly ut th t it is o within th lin 
n in tion 2. 

o i ying th p oto ol it is n ss y to n th onst ints un 

whi li th i tion is i out. onst ints CO n Cl uilt into th 

sp i tion th ough th oo Msg s t. s o th i t w o not n to us 

x lu ut just to gi low n n upp oun .how to 
ou sp i tion th ollowing xiom. 

Drift, (p ^ 0.9) (p ^ 1.1) 

h s n th t wh n th n o th m ss g is t t th lu o o is 

x to th o m ss g o ny su s qu nt tim . h p oto ol is o t 
i on y int 1 th t st ts t 1 st t tim ( (#i) — 9 p)Q t th 

mi 1 o th st slot un tions on* qu 1. h o th o tn ss 
qui m nt o th p oto ol is th ollowing 

Corr. -a ^ ( (ffi) — 9 p)Q)~ -o = i- 

li p oto ol w s i yp o ing th t th onjun tion o 11 gi n xioms im- 
pli s Corr. h p oo is som wh t in ol ut n i i into th ollowing 
st ps 

1. -u = t u - -last o = head p (ffp 2 => last2 o = head2p)- 

2. -u = t u - -(front o) ^ p = i (5 = 0- 

3. -a = ((#*)- )Q S ^ Q) -#p = 1 6= Q) ; -#p = 0) 

. -u = t u - ; (u = Is ) ; -a = ( (#i) — )Q S ^ Q) 

-(front o) ^ p = i u = t u - ; (u = Is ) ; 

-a = ( (#z) — )Q S = Q ffp = 1 u — Is ) ; -u = Is - 
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5. -u = t u - ; (5 ^ 9pQ u = Is •) ; -a = ( (#z) — 9p)Q) 

-u = t u - ; {5 ^ 9 pQ u = Is ) ; -o = i) 

6- -a = ((#*)- 9 p)Q) -o = i) 

t p 1 is ompl x n qui s n xh usti n lysis o 11 omp ti 1 orn- 
in tions o p i s o no ing xioms n th i su s qu nt orn in tion with 
th pp op i t o ing xioms onsist ntly with xiom Drift, his qui 

s 1 p g s o p oo . 

t p 2 w s o t in y in u tion om t p 1 with th ition 1 us o 

xiom Up. 

t p 3 w s o t in y in u tion om th ollowing 
Base. -u> = 0 5 = Q) 1^ 

Induct, -to Mi lot 6 = Q) > 0 => (#(p(w)) = — 1)) 

with in u tion s Base i om Neg n in u tion st p Induct i 
om Intvl. 

in a = ( (#i) — ) Q Mi lot om t p 2 t p 3 n EncEnd w n 
i t p . 

t p 5 w s o t in y th ppli tion o p op ty 

-u = t u - ; {u = Is S ^ 9pQ- 

-u = t u (p = 0 p = 1,0 p = 1 )- ; (m = Is 

whi h is i om th n o ing xioms to t p tog th with Dec9e 

Dec9o n Dec70. 

t p 6 w s i om 5. qui m nt Corr is simpl ons qu n o 6. 

5 Comparison of the Two Approaches 

h p s nt two nti ly i nt pp o h s to th sp i tion n 
i tion o n u io ont ol p oto ol with 1-tim h t isti s. 

h st pp o h is s on th i 1 p o ss lg n llow n un- 
tim i tion o th p oto ol o tn ss. n this pp o h tim w s mo 11 
in t ms o is t ti ks n is us to impl m nt th n o ing n o ing o 

th m ss g . h us o ti ks o t n 1 s to st t xplosion wh n g n ting 

th glo 1 tim h iou o th syst m. solution to this p o 1 m is to 
st t tim w y o ying out th i tion. h 1 tion tw n th 

lo 1 tim s o th s n n i is st lish y th p o ss whi h 

pi ys th ol o timing onst int 6 . 

n th s on pp o h tim pi ys nt 1 ol oth in sp i ying n 

i ying th syst m. h g t xp ssi pow o in mo lling tim llows 
th i tion o n upp oun to th tim n to o gi n m ss g . 

t is int sting to noti th t th mo lling h 11 ng s lmost ompl - 

m nt y in th two pp o h s. Mo lling th s n is quit n sy t sk using 

th p o ss lg u to th p o u 1 n tu o th s n . n inst it 
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is n ss y to n n in st u tu in whi h to p s nt th m ss g n o - 

ing. h m ny possi 1 hoi s t this st g non o th m intuiti . h 

suit is ompl x onst u tion wh simpl h iou is o s u within 

1 ti sp i tion. On th oth h n th i is h to mo 1 using 

i 1 wh s it is lmost imm i t in 

h o tn ss p oo is quit simpl in i 1 n is utom ti lly p o m 
using th i 1 yst m. g phi 1 int to th i 1 mo 1 o th p oto ol 

h s n onst u t using 1/ k 15 . h us int Hows th input o 

s qu n o m ss g s n sp i tion o 1 ti lo k timings oth in th 

simul tion n th o m 1 i tion o th p oto ol. 

n th o tn ss p oo is y ompl x n w s i out y h n . 

ow th most ompl x p t o th p oo is gi n y t p 1. his st p o th 
p oo st lish s th o tn ss o th o spon n tw n n o ing n 

o ing o singl its. 11 possi 1 om in tions o no ings n o ings 
must xh usti ly h k u h p oo st p nnot ully utom t 

h n p o m with th h lp o th o m p o it still qui s g t 

mount o int tion with th us in onst u ting 11 th singl s s. 

h p oo o t ps 3-6 is mu h sho t th n th p oo o just t p 1. t 

shows i ulti s only wh n n o ing n o ing xioms us tog th 

whi h h pp ns t t p 5. h us o no ing n o ing xioms tog th is 

n ss y to i y th t ntu lly th input n th output s qu n s oin i 

his is tu lly th untim o tn ss i tion th t is ully utom t in 
th p o ss lg pp o h. w pi qui m nt Corr y 

Timing, -a ( (#z) — 9p)Q- -o = o(a)~ 

w m y i y in only th timing with th ssumption th t th tu 1 

o tn ss h s n utom ti lly i in th p o ss lg m wo k. n 

su h pu timing i tion is mu h si to utom t 

6 Conclusion 

h xp ss th s m qui m nt in two i nt o m lisms llowing 

th i xp ssi n ss n p iliti s to i tly omp . h p o ss lg - 
solution o simpl op tion 1 mo 1 whi h oul n lys uto- 

m ti lly ut w s un 1 to ptu 11 o th n ss y timing p op ti s. h 

xiom ti solution o n st t non- onst u ti mo 1 th t ptu 11 

o th qui m nts ut qui h 11 nging p oo t hniqu s to n lys . 

h ps th st pp o h th o is to us i nt o m lisms to n 1- 

ys i nt p op ti s. t is in g n 1 possi 1 to ompos p op ty o 
qui m nt into su p op ti s whi h m y th n i within i nt p oo 

n i onm nts. h shown this using w 11-known s stu y. ow w 
n to onst u t i nt mo 1 o th syst m un n lysis o h p oo 

n i onm nt to us . must th o nsu th onsist n y o 11 th s 
mo Is. possi 1 w y is omit nsl tion tw n sp i tion o m lisms. 




Process Algebra versus Axiomatic Specification of a Real-Time Protocol 



71 



Acknowledgements woul lik to th nk olin i g o h lp ul is ussions n 

us ul omm nts on this p p . his s h li s n suppo t y th n o - 

m tion hnology i ision o th n i n hnology O g nis tion. 

References 

1. A. Bengtsson, W. Griffioen, K. Kristoffersen, K. Larsen, F. Larsson, P. Pettersson, 
and W. Yi. Verification of an audio control protocol with bus collision. In 8th 
International Conference on Computer-Aided Verification (CAV’96), volume 1102 
of Lecture Notes in Computer Science. Springer, 1996. 

2. D. Bosscher, I. Polak, and F. Vaandrager. Verification of an audio control pro- 
tocol. In 3rd School and Symposium on Formal Techniques in Real-Time and 
Fault- Tolerant Systems (FTRTFTS’94), volume 863 of Lecture Notes in Computer 
Science , pages 170-192. Springer, 1994. 

3. A. Cerone. Axiomatisation of an interval calculus for theorem proving. Technical 
Report 05-00, Software Verification Research Centre, The University of Queens- 
land, Brisbane, Australia, Jan 2000. 

4. A. Cerone, A. J. Cowie, G. J. Milne, and P. A. Moseley. Description and verification 
of a time-sensitive protocol. Technical Report CIS-96-009, University of South 
Australia, Adelaide, Australia, 1996. 

5. A. Cerone, A. J. Cowie, G. J. Milne, and P. A. Moseley. Modelling a time- dependent 
protocol using the Circal process algebra. In Lecture Notes in Computer Sci- 
ence, volume 1201 of International Workshop on Hybrid and Real-Time Systems 
(HART’97), pages 124-138. Springer, 1997. 

6. A. Cerone and G. J. Milne. Specification of timing constraints within the Circal 
process algebra. In 6th International Conference on Algebraic Methodology and 
Software Technology (AMAST’97), volume 1349 of Lecture Notes in Computer 
Science, pages 108-122. Springer, 1997. 

7. L. Chen. Verification of an audio control protocol within real time process algebra. 
In 2nd Workshop on Formal Methods in Software Practice (FMSP’98), pages 70- 
77, Clearwater Beach, Florida, USA, March 1998. 

8. C. Daws and S. Yovine. Two examples of verification of multirated timed automata 
with Kronos. In 7th 1995 IEEE Real-Time Systems Symposium , Pisa, Italy, 1995. 
IEEE Comp. Soc. 

9. C. J. Fidge, I. J. Hayes, A. P. Martin, and A. K. Wabenhorst. A set-theoretic model 
for real-time specification and reasoning. In Mathematics of Program Construction 
(MPC’98), volume 1422 of Lecture Notes in Computer Science, pages 188-206. 
Springer, 1998. 

10. W. Griffioen. Proof-checking an audio control protocol with LP. Technical Report 
CS-R9570, CWI, Department of Software Technology, Amsterdam, The Nether- 
lands, Oct 1995. 

11. P.-H. Ho and H. Wong-Toi. Automated analysis of an audio control protocol. In 
7th International Conference on Computer-Aided Verification (CAV’95), volume 
939 of Lecture Notes in Computer Science, pages 381-394. Springer, 1995. 

12. C. Hoare. Communicating Sequential Processes. International Series in Computer 
Science. Prentice Hall, 1985. 

13. K. Larsen, P. Pettersson, and W. Yi. Diagnostic model-checking for real-time 
systems. In 4th DIM ACS Workshop on Verification and Control of Hybrid Systems, 
New Brunswick, USA, 1995. 




72 



Antonio Cerone 



14. G. J. Milne. Formal Specification and Verification of Digital Systems. McGraw 
Hill, 1994. 

15. Verification of a time- dependent protocol (web page). 
http://www.acrc.unisa.edu.au/doc/circal/circal_protocol.html. 




Practical Application of Functional and 
Relational Methods for the Specification and 
Verification of Safety Critical Software 



rk L wfor 3 * oug ll 2 t r ro l 3 n r g oum 3 

ompu in n o w niv. mi on n L 4L7 

lawf ord(8mcmaster . ca 

o w T hno o i n . 171 0 . .1 y LO 1 0 

j km@pathcom . com 

n io ow n ion 700 niv i y v . To on o n 1 

peter . froebel g.moum@ontariopowergeneration. com 



Abstract, n hi p p w i how un ion v ion o h 

4-v i mo n ornpo o imp ov i p i pp i ion 

o in u i o w v i ion p o m . n x mp i h n u o 

i u h imi ion o h un ion mo n mo iv mo - 

x n ion o h 4-v i mo o n -v i ion mo 

Th -v i mo i in o ow h y m qui m n o 

p i un ion wi h inpu n ou pu o n ion 

i ypi y on in p i . Th o i o ion m ho 

0 p i ion n v i ion h mo n in in in ui ion n 
h n i you n un n . 

1 Introduction 

h omput r y t m ngin ring ntr of x 11 n t n r 

for oftw r ngin ring of f ty riti 1 oftw r 4 t t th following 

it r t fun m nt 1 prin ipl 11 The required behavior of the software shall be 
documented using mathematical functions in a notation which has well defined 
syntax and semantics, n or r to hi v thi nt rio ow r nr tion n 

( ) n tomi n rgy of n Limit ( L) lr v jointly n 

t il oftw r v lopm nt pro to gov rn th p i tion ign n 
v ri tion of f ty riti 1 oftw r ytm. h oftw r v lopm nt pro 

r ult in th pro u tion of oh r nt t of o um nt th t llow for t ti 
n ly i of th prop rti of th ign ri in th oftw r ign rip 
tion ( ) omp ring th m g in t th r quir m nt ri in th oftw r 

quir m nt p i tion ( ). 

n thi work w r vi w how thi fun tion 1 v ri tion lr n on in 

pr ti . r t ri how fun tion 1 v r ion of th 4 v ri 1 mo 1 of 

1 y uppo y n 217249-99. 

i h i i y n ion omp ny om n io y o. 

T. Rus (Ed.): AMAST 2000, LNCS 1816, pp. 73-88, 2000. 

(c) Springer- Verlag Berlin Heidelberg 2000 
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11 n ompo to f ilit t tool upport n to r u th m nu 1 ort 

r quir to p rform n o um nt th p i tion n v ri tion t k . n 

x mpl from i th n u to motiv t th xt n ion to r 1 tion 1 mo 1 . 

lr r 1 tion 1 mo 1 i n ry to rigorou ly ount for tol r n th t mu t 

norm lly on i r wh n trying to impl m nt y t m to m t n i 1 
y t m h vior. 

propo th v ri 1 mo 1 mo t xt n ion of th 4 v ri 1 mo 1 

th t t k into on i r tion input n output tol r n whil till p rmitting 
th u of fun tion 1 r quir m nt p i tion n ign ription . lr 
mo 1 form liz th ngin ring pr ti of pp ling to tol r n wh n n 
ry. y tt mpting to form liz th pro th utlror hop to provi 

oun i for tool upport of th ntir v ri tion pro n provi oppor 

tuniti for furth r ppli tion of fun m nt 1 r 1 tion 1 lg r i on pt . 

tion 2 provi n ov rvi w of th i on pt n not tion r quir 
y th p p r. tion 3 xpl in th (fun tion 1) y t m ti ign ri 
tion ( ) pro ur n it limit tion r g r ing tol r n lr limit tion 

motiv t th v ri 1 mo 1 of tion 4. 

2 Preliminaries 

un tion n r 1 tion r hown in it li ( .g. f REQ). 11 t oftim ri 
v tor from th 4 n v ri 1 mo 1 r hown ol ( .g. BM). 11 oth r 
m th nr ti It rm r hown in it li ( .g. bm BM). 

or t Vi w will not th identity map on the set Vi y idv t (i- ■ 

idvt Vi —■ ► Vi u lr th t u, — ■> vf). iv n fun tion / Vi — > Vi n g V 2 — > Vs 

w will u g o / to not functional composition (i. . g o f(v\) g(f(v\))). 

lr cross product of fun tion / V\ — > V 2 n / V 1 — > V 2 n fun tion 

/ x / Vl x V 1 -> V 2 x V 2 u lr th t (v,v) f -£ ( f(v ), f (v )). 

t will 1 o onv ni nt to on i r th op r tion of relational composition. 

or F V x V 2 n G V 2 x V 3 F G {(iq,u 3 ) V 3 x V 3 { v 2 V 2 ) 

{v\,v 2 ) F A (v 2 ,v 3 ) G . hu for th fun tion / n g n ov 

9 °f f 9- r 1 tion F i i to total if ( v\ Vi)( v 2 V 2 ) {v\,v 2 ) F. 

not th t of 11 quiv In r 1 tion on V y Eq(V). ny fun tion 

/ V — > R in u n quiv In r 1 tion k r (/) Eq(V) th quiv 1 n 

k rn 1 of / giv n y (vi,v 2 ) k r (/) if n only if f(v r) f(v 2 ). n 

th t n r p rti 1 or r on quiv In r 1 tion follow . iv n quiv 1 n 
r 1 tion 01 , 6*2 Eq(V) w y th t 9\ is a refinement of 0 2 writt n 6*1 9 2 

i lr 11 ( quiv In 1 ) of 0r i u t of 11 of 9 2 (i. . (v,v ) 0i 

impli (v,v ) 02 for 11 (v,v ) V x V). n now form lly t t i 

xi t n 1 im for fun tion th t will u 1 t r in th p p r. 

Claim. iv n two fun tion with th m om in f Vi — > V 3 n g V\ — > V 2 

th r xi t h V 2 —> V 3 u lr th t / ho g i k r (g) k r (/). 
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3 Functional Systematic Design Verification 

hi tion provi n ov rvi w of th (fun tion 1) pro ur u in 

highlight 1 m nt of th pro u lr th ompo ition of proof 

0 lig tion th t f ilit t tool upport n r u th ort r quir to p rform 

n o um nt th t k . lthough th pro ur ov r oth r typ of 

v ri tiou pro 1 m w will on ntr t on th v ri tion of impl fun tion 1 
prop rti th t oft n ompo th m jority of y t m r quir m nt .hr r 

1 r f rr to for th ompl t pro ur . h tion on lu with n 

x mpl th t illu tr t th limit tion of th fun tion 1 ppro h. 

3.1 SDV Procedure Overview 

h oftw r ngin ring pro ri lr r i upon th Standard for 

Software Engineering of Safety Critical Software 4 th t w jointly v lop 
y n L. hi t n r r quir th t th oftw r v lopm nt n 

v ri tion rok n own into ri of t k th t r ult in th pro u tion of 

t il o um nt t lr t g . lr oftw r v lopm nt t g r 1 v nt to 

thi p p r r gov rn y th oftw r quir m nt p i tion ro ur 
3 n th oftw r igu ription ro ur . lr pro ur r 
p tiv ly pro u th oftw r quir m nt p i tion ( ) n oftw r 

ign ription ( ) o um nt . n ition to oth r m tho th o 

um nt m k u of form of rn t ul r r pr nt tion of m th m ti 1 
fun tion 2 10 to p ify th oftw r lr vior. 1 provi m th m ti 
lly pr i not tion ( 1 for th form 1 m nti ) for th n in 

vi u 1 form t th t i ily un r too y om in xp rt v lop r t t r 
r vi w r n v ri r lik 

lr un rlying mo 1 of oth th n r upon init 

t t hin ( ). lr to th fun tion lity th lr uling 

m int in ility r our llo tion rror lr n ling n impl m nt tion p n 

n i . lr pi tion t hniqu for ning th impl m nt tion i on 

virtu 1 m hin whi lr will x ut th our o whi lr i to impl m nt 
lr prim ry i r n tw n thi virtu 1 m hin n th ri ing th 

i th t x ution i not in t nt n ou ut t k nit mount of tim 
n thu th or r of x ution mu t pi to voi r ou ition . lr 
i pro u y oftw r xp rt with th lr lp of om in xp rt . t i u 
y 1 oftw r v lop r to pro u th whi h i th n u y 11 th 

v lop r to pro u th tu 1 our o 

lr oftw r ngin ring t n r 4 r quir th t th form lly 

v ri g in t th n th n th o form lly v ri g in t th 

to n ur th t th impl m nt tion m t th r quir m nt . h form 1 v ri 
tion r gov rn y th ro ur n y t nr ti o ri tion 

( ) ro ur . or th purpo of thi p p r w will on ntr t on th 

pro 
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REQ 




OUT 



Fig. 1. ommut tiv i gr m for 4 v ri 1 mo 1 



h o j tiv of th pro i to v rify u ing m th m ti It hniqu 

or rigorou rgum nt th t th h vior of v ry output n in th i in 

ompli n with th r quir m nt for th h vior of th t output p i in 
th . ti upon v ri tionofth fourv ri 1 mo 1 of 11 th t v ri 

th fun tion 1 quiv 1 n of th n y omp ring th ir r p tiv 

on t p tr n ition fun tion . h r ulting proof o lig tion in thi p i 1 

REQ OUToSOFoIN . (1) 

i illu tr t in th ommut tiv i gr m of igur 1. r REQ r pr nt 
th t t tr n ition fun tion m pping th monitor v ri 1 M (in lu 

ing th pr viou p v lu of t t v ri 1 ) to th ontroll v ri 1 n 

up t ( urr nt) t t r pr nt y C. li fun tion SOF r pr nt th 
t t tr n ition fun tion m pping th h vior of th impl m nt tion in 
put v ri 1 r pr nt y t t p I to th h vior of th oftw r output 
v ri 1 r pr nt y th t t p O. h m pping IN r 1 t th pi 

tion monitor v ri 1 to th impl m nt tion input v ri 1 whil th 

m pping OUT r 1 t th impl m nt tion output v ri 1 to th p i 
tion ontroll v ri 1 . h following tion ri fly outlin th r n m nt 

of th r 1 tion 1 m tho in 11 to th impl fun tion 1 in (1). 

3.2 Specialization of the 4- Variable Model 

n th 4 v ri 1 mo 1 of 11 h of th 4 “v ri 1 t t p M I O 

n C i t of fun tion of ingl r 1 v lu rgum nt th t r turn v tor 

of v lu on v lu for li of th qu ntiti or “v ri 1 o i t with 

p rti ul r im n ion of th t t p . or in t n liming th t th r r 

riM monitor qu ntiti whi hw r pr nt y th v ri 1 mi, m 2 ,... , m nM 

th n th po i 1 tim h vior of th v ri 1 m.i n r pr nt 

fun tion m\ R — > Type(rrii) wh r m\{x) i th v lu of th qu ntity m.i t 

tim x. n th nt k M to th t of 11 fun tion of th form m t (x ) 

(m\ (x ) , m\ (x ) , . . . ,m t 7lM (x)). hu th r 1 tion orr pon ing to th rrow of 

th ommut tiv i gr m th n r 1 t v tor of fun tion of ingl r 1 v lu 

rgum nt. 
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n or r to implify th 4 v ri 1 mo 1 to tting w r tri t our 

lv to th wh r h of th 4 “v ri 1 M I O n C i t of 

“tim ri v tor . or x mpl M tu lly r f r to 11 po i 1 t of o 

rv tion or r ( n qu lly p ) in tim h o rv tion ing v tor 
of Um v lu . will u th t rm monitored variable to r f r to qu ntity m-i 

whi h i th ith 1 m nt in th v tor (i {1, . . . . tim ). L t m M tim 
ri v tor of o rv tion of th monitor v ri 1 . ith light u of 

not tion w will u m.i(z ) to not th zth o rv tion of th ith 1 m nt 
(z {0,1,2,... ) of th monitor v ri 1 forth tim ri v tor to. im 
il rly m(z ) r pr nt th zth o rv tion of th hm v lu in th monitor 
v ri 1 v tor for tim ri to. 

or thi mo 1 th tim in r m nt tw n lr of th o rv tion i n 
to th po itiv r lv lu 6 > 0. hu o rv tion z orr pon to tim (z 6). 

h in r m nt S i t k n to 1 1 t n or r of m gnitu 1 th n ny tim 

m ur m nt of int r t. lr v lu of to, t ny point tw n two o rv tion 

(i. . in th r ng of tim z S, (z + 1) 6) ) i n to qu 1 to mi(z). 

lr of th “v ri 1 M,C,I, Ointh p i liz 4 v ri 1 mo lh th 

m fr qu n y of o rv tion ut m y h v i r nt num r of v lu in it 
v tor. lr v lu tim i n to th num r of 1 nr nt in M whi lr r 

o rv ov r tim whil n/ i n to th num r of 1 nr nt in I whi h 

r o rv ov r tim . orm lly n/ n m ■ imil rly no i n to th 

num r of 1 nr nt in O whi h r o rv ov r tim n nc i n to 

th num r of 1 nr nt in C whi h r o rv ov r tim . orm lly nc no- 

Requirements ( REQ ): h r quir lr vior of th u y t m i ri 

with REQ. t REQ i mo 1 ning r 1 tion ov r M x 

C. hil in g n r 1 th oul non t rmini ti mu lr of th y t nr 

lr vior n mo 1 y t rmini ti with th r ult th t for th 

v ri tion of th prop rti w n um th t REQ i fun tion (i. . 

REQ M — > C). 

n thi n w t of tim ri v tor S i intro u to ri 

th t t of th . L t c C to Ms S n z {0,1,2,... . lr 

zth v lu of ontroll v ri 1 tim ri v tor c(z ) p n on oth th 

v lu of m(z) n s(z) r 1 t y th v tor fun tion OUTPUT (i. . c(z) 

OUTPUT(m(z),s(z))). lo th v lu s(z + 1) p n on oth th v lu of 

m(z ) n s(z) r 1 t y th v tor fun tion NEXT ST ATE. (i. . s(z + 1) 
NEXTST ATE(m(z), s(z)). 

lr pro ur 3 how how t of fun tion /i , f 2 r . n 

n u lr th t wh n u t of th m r ompo th y n th 
fun tion. lr n i r nt though not n rily i joint t of th m r om 

po th y n th NEXT ST ATE fun tion. lr v 11 th pro of 
ning th fun tion th “ ompo ition of REQ . 

Design ( SOF ): h impl m nt h vior of th u y t nr i ri with 

SOF . SOF n mo 1 ir t gr ph with p + 2 no . ithin thi 

gr ph lr no i ith r on of p or I or O n h g r pr nt 
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Fig. 2. rti 1 ompo ition ol tion of h r w r hi ing proof o lig tion 



t flow tw n two of th . h no ont ining I mu t not th ti 

n tion of ny g . h no ont ining O mu t not th our of ny g . 
n thi w y SOF n r 1 tion ov r I X O. f th ign i pro u fol 
lowing th pro ur th n h of th r pr nt progr m 11 

from th m inlin . um on t nt m inlin loop tru tur with h 

progr m 11 1 or mor tim within th loop, f 11 mor th n on 11 

r um to v nly p within th loop, h loop i um to t k 

on t nt mount of tim to x ut . 

or 1 rg num r of th impl m nt tion prop rti th ompo ing 

SOF n mo 1 t rmini ti llowing u to on i r th p i 1 

wh n SOF n fun tion. n thi wh n otlr REQ n SOF r 

fun tion if w r 1 o 1 to r tri t our lv to fun tion Imp for IN n 

OUT w n v rify th ommut tiv i gr m in igur 1 y omp ring th on 

t p tr n ition fun tion of th ning REQ n SOF . or t il 

ription of th un rlying n mo 1 n foun in 3 n 

r p tiv ly w 11 



3.3 Decomposing the Proof Obligations 

n igur 2 w ompo th proof o lig tion (1) to i ol t th v ri tion 
of h r w r int rf . lr M p n C p t t p r th oftw r int r 
n 1 r pr nt tion of th monitor n ontroll v ri 1 r f rr to th 
pseudo-monitored n pseudo-controlled variables r p tiv ly. h proof o li 
g tion o i t with th n om 

Abstc ° REQ SOF req o AbstM (2) 

Abst M SOF in o IN (3) 

idc OUT o SOF out o Abstc ■ (4) 

h r t of th qu tion r pr nt omp ri on of th fun tion lity of th 
y t m n houl ont in mo t of th ompl xity of th y t m. hit two 
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r pr nt omp ri on of th h r w r hi ing oftw r of th y t m. h 

o lig tion r oft n f irly tr ightforw r n r i h rg m nu lly. 

n x mpl to h lp th r r int rpr t th ov ompo ition uppo 
n tu 1 phy i 1 monitor pi nt p r m t r longing to Mi th t nip r 
tur of th prim ry lr t tr n port y t m wlri lr might h v urr nt v lu of 

00.3 K Ivin, h lr r w r orr pon ing to th t mp r tur n or n / 

onv rt r might m p thi vi IN to v lu of 3.4 volt in p r m t r in I. 

h r w r hi ing mo ul might th n pro thi input orr pon ing to th 
m pping SO Fi n pro u ing v lu of 00 K Ivin in th ppropri t t mp r tur 
v ri 1 longing to th oftw r t t p M p . urth r “v rti 1 ompo i 
tion i p rform y i ol ting output n in t r tri ting M n proj ting 

C to th v ri 1 r 1 v nt to p rti ul r u y t m u h th pr ur n or 

trip ri in th tion 3.4. 

h o rv nt r r m y h v not th t th ontroll v ri 1 tr tion 

fun tion i n Abstc C — > C p whi h i mingly th “wrong ir tion. 

h proof o lig tion (4) for Abstc to inv rti 1 pr v nting th po i ility 
of trivi 1 ign for SOF req ing u to ti fy th m in o lig tion (2). 
w will low thi llow th v ri r to n only on tr tion m pping 

for lr p ir of orr pon ing n t t v ri 1 th t o ur oth 

input n output in th ompo ition. h pro ur provi r our 

for th wlr n th r i not 1 1 orr pon n tw n C n C p through 
th u of p u o th t n n to mor lo ly m t lr th 

h int r t r r i r f rr to for furth r t il . 



ypi lly th v ri tion of u y t m r pr nt y (2) th inn r 
p rt of th ommut tiv i gr m n ompo “horizont lly t oth th 
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SOFi o Abstv i _ 1 Abstvi ° REQi . 








( ) 



om v ri tion lo k. lr pri p i for thi v rti 1 n horizont 1 

ompo ition i th t for h lo k th v ri r mu t provi ro rfrn 

tw n th int rn 1 v ri 1 m king up th Vj_i, Vj t t p t th 
1 v 1 n th int rn 1 v ri 1 m king up th V a-Cp, V, p t t p t 
1 v 1 w 11 ning th tr tion fun tion Absty i _ 1 n Abstvi- ow 

th n t of ning 11 th tr tion fun tion in lu ing Abstc from top 
to ottom ( to ) in igur 2 n 3 om mor pp r nt. lr v lu 
of m ny of th ontroll v ri 1 from th pr viou x ution p of th 

n oft n om input to th 1 ul tion of urr nt int rn 1 t t n 

output v ri 1 . imil rly t t v ri 1 th t r th output of on qu nti 1 
lo k om th input of th following lo k. ning 11 tr tion fun tion 
from top to ottom n th n only p rforming th h k for inv rti ility t th 
output m o i y (4) llow th v ri r to u th m tr tion fun tion 
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Fig. 3. orizont 1 ( qu nti 1) ompo ition of proof o lig tion 



wh th r t t v ri 1 o ur t th input or output of lo k. hi t hniqu 
r u th num r of tr tion fun tion r quir y up to on h If. 



3.4 Limitations of a Functional Model 

h following x mpl u impli n or trip to mon tr t how th v r 
i tion t k n p rtition n highlight th limit tion of th fun tion 1 
pro ur r g r ing upport for tol r n . urr ntly th v ri tion tool 

uit ri in only upport fun tion 1 v ri tion. ork r m in to 
on on th in orpor tion of tol r n on input n output through th 
u of r 1 tion 1 m tiro . ft n n h vior r not fun tion lly 

quiv 1 nt ut th y r within p i tol r n . urr ntly in th 

p r t rigorou rgum nt mu t m pp ling to tol r n to xpl in 
ny i r n in fun tion lity. lly on woul lik to 1 to u form 1 
m th m ti 1 proof in orpor ting th tol r n wh n n ry without n 
x iv in r in proof ompl xity n worklo o i t with th o 
um nt tion. n m ny it houl po i 1 to xi t nti 1 qu nti r 

for v ri 1 with tol r n n th n m k minor mo i tion to th origin 1 
th or m t t m nt . 

now ri th v ri tion of impli pr ur n or trip th t 

monitor pr ur n or n initi t r tor hut own wh n th n or 

v lu x norm 1 op r ting tpoint. will u t ill r p i tion for 

th ir r ility. n 11 of th t 1 in igur 4 th fun tion r turn th v lu 

in th right olumn wh n th on ition in th 1 ft olumn i ti 

1 f-PressTrip n PT RIP in igur 4 giv th propo n 

impl m nt tion r p tiv ly for th n or trip, h p i tion of th 

pr ur n or trip m k u of n to limin t n or lr tt r. n th 
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fun tion nition f -PressTripSl n PREV pi y orr pon ing rol th 
rgum nt for th pr viou v lu of th t t v ri 1 omput y th fun tion. 

li v ri tion i p rform u ing rototyp ri tion y t m ( ) 

utom t proof i t nt 9 12 to li n 1 typ li king n proof t il . 

igur 4 1 o ont in th upporting typ on t nt n tr tion fun tion 

nition for th v ri tion lo k. h tr tion fun tion posreal2AItype 
mo 1 th / onv r ion of th n or v lu y t king th int grp rt of it 

input u ing th uilt in fun tion floor(x) from th pr lu 1 . t i u 

to m p th r 1 v lu input Pressure to th i r t input PRES 

whi h h typ AIType. AIType on i t of th u r ng of int g r tw n 0 
n 000 not y subrange^ 0, 000) in igur 4. 

t th ottom of th p i tion th th or m Sentripl i n x mpl of 
block comparison theorem th t i u to prov pi in t n of th g n r 1 

lo k v ri tion qu tion ( ) th t r 1 t th n input n output . 

f Pressure n PRES w r oth r 1 num r r 1 t y th i ntity m p 
th n th lo k omp ri on th or m Sentripl woul ily prov ut in thi 

wh r PRES i i r t input wh n tt mpting th lo k omp ri on 

r u th pro 1 m to tt mpting to prov th t for 11 input v lu th 
following qu tion liol 

->( f-PressTripSl Tripped A floor (Pressure) 2400 , , 

2400 < Pressure < 24 0) . 

or ny v lu of Pressure in th op n int rv 1 (2400,2401) wh n f -Pres sT rip 
w tripp in th pr viou p th ov formul i FALSE, li pro 
1 m o ur u wh n v r 2400 < Pressure < 2401 th tr tion fun 
tion posreal2 AIType m p Pressure to th m v lu 2400 ut wh n 
f-PressTripSl Tripped th fun tion f -Pres sT rip m p Pressure v 1 
u gr t r th n 2400 to Tripped whil 2400 g t m pp to NotT ripped, n 
oth r wor 



k r(posreal2AIType x Trip2bool) k r (f _PressTrip) . ( ) 

o w know y th 1 im from tion 2 th t th r i no ign th t 

n ti fy th lo k omp ri on th or m Sentripl. li int r t r r i 

r f rr to for furth r t il on th u of in thi x mpl n th 

y t m ti ign v ri tion pro in g n r 1. 

hi i n x mpl of wh n fun tion 1 qu lity i mor tri t th n pr ti lly 
n ry. u to th ur y of th n or n / h r w r in th tu 1 
impl m nt tion 11 input v lu h v tol r n of ± unit . n thi th 

fun tion PTRIP tu lly provi pt 1 lr vior. 

h g n r liz r 1 tion 1 v r ion of th 4 v ri 1 mo 1 origin lly put for 

w r in 11 ily h n 1 thi y llowing REQ IN n OUT from 

igur 1 to r 1 tion tw n t t p on i ting of t of v tor of 
fun tion of tim . lr v foun th t th m jority of y t m prop rti m king 
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MTRAN MTOL REQ CTOL CTRAN 

FM BM ' IM ' IC BC ' FC 




Fig. 5. ri 1 o 1 



up REQ r in pr ti ily pi n v ri if th y r mo 1 
t rmini ti t t m hin wh r th NEXT ST ATE n OUTPUT fun tion 
h v tol r n o i t with th ir input n output outlin low. 

4 The 8- Variable Model 

h n trying to omp r th i 1 r quir lr vior to ign llow 1 tol 
r n mu t pi pr i ly o th t it n t rmin wh th r 

propo ign xhi it pt 1 h vior. lr v ri 1 mo 1 lrown in 

ig. h n v lop to t k tol r n into ount in u h w y th t 

th i 1 r quir h vior from th fun tion 1 4 v ri 1 mo 1 of tion 3.2 

n no mo i tion. lru om in xp rt till p ify th lr vior fun tion 
lly REQ with tol r n nr o i y th MTOL n CTOL (i. . REQ 
i fun tion) whil MTOL n CTOL r tol r n r 1 tion . o f ilit t th 
p i tion of tol r n r 1 tion th monitor n ontroll t t p M 

n C of th origin 1 4 v ri 1 mo 1 r r pi y tripl of t t p 

FM. BM. IM n IC,BC,FCr p tiv ly. 

n thi mo 1 FM r f r to th Field Monitored Variables, h r m th 

nr ti 1 v ri 1 2 whi lr mo 1 prop rti of th nvironm nt th t r ing 

m ur . or x mpl th lr t tr n port t mp r tur in gr might 

mo 1 y 1 monitor v ri 1 . 

BM r f r to th Boundary Monitored Variables, lr r m th m ti 1 

v ri 1 whi lr mo 1 prop rti ing m ur t th limit of th u y t nr 

ing ri . or x mpl if th u y t nr w trip omput r volt g t 

th t rmin 1 lo k of th omput r oul mo 1 y oun ry monitor 

v ri 1 . lthough th r quir lr vior of th u y t nr only n to ri 
lr vior r 1 tiv to oun ry monitor v ri 1 v lu it i onv ni nt for th 
p i r writing th r quir m nt to giv lr oun ry monitor v ri 1 

n m whi lr r fl t th prop rty ing mo 1 y th o i t 1 moni 
tor v ri 1 . or x mpl th m y n m oun ry monitor v ri 1 
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m-HT-Temperature v n though it i volt g v lu whi h i ing mo 1 t 

th oun ry. hi llow th r quir m nt p i r to on ntr t on th pro 

1 m om in wh n ri ing th r quir lr vior of th u ytm. ypi lly 
th r i fun tion 1 r 1 tion hip MTRAN tw n FM n BM. 

IM r f r to th Inner Monitored Variables, nn r monitor v ri 1 r 

m th m ti 1 v ri 1 whi h r pr nt th oun ry monitor v ri 1 with 

onitor ri 1 ur y t k n into ount. 

Monitored variable accuracy ri r ng of v lu u h th t th u y 
t m i r quir to r pon ri to t 1 t on of th v lu within th t 

r ng . or x mpl if in th x mpl ov th oun ry monitor v ri 1 

ur y i ±0. n th v lu of th oun ry monitor v ri 1 t om 

point in tim i 2. th n th r quir m nt r ying th t th u y t m m y 
r pon if th v lu t th t tim i ny on of th v lu in th r ng 2.0, 3.0 

. n tlri w y monitor v ri 1 ur y r ult in th ri ing t of 

llow 1 h vior . ny ign whi lr xhi it on of th llow 1 h vior 

m t th r quir m nt . 

hi 1 r quir lr vior in th (i. . REQ ) wh n ppli to th 

inn r monitor v ri 1 provi ription of r quir lr vior whi lr 

ount for i ion r g r ing ur y. or x mpl th r quir m nt p i r 

n u on ition m-HT -Temperature > m.-HT Setpoint r th r th n x 
pi ining within th on ition how to ount for th ur y of th v ri 1 

m.-HT -Temperature, ot th t in om IM m y th m BM. 

or x mpl in trip omput r on gur tion v lu o not lr ng 

on lin n i r pr nt igit 1 v lu . hu th ur y woul ±0. lr 

MTOL r 1 tion tw n BM n IM i typi lly not fun tion 1 r 1 tion hip 

in on v lu in oun ry monitor v ri 1 i r 1 t to nr ny v lu in 

th orr pon ing inn r monitor v ri 1 wh n th r i non z ro monitor 

v ri 1 ur y o i t with th v ri 1 . 

I r f r to th Input Variables, nput v ri 1 r nr th nr ti 1 v ri 1 

whi lr mo 1 th inform tion v il 1 to th oftw r . or x mpl volt g 

whi h i onv rt to igit 1 v lu vi n / onv rt r nr y m v il 

1 to th oftw r 2 int g r in r gi t r. lr v lu r from th t 

r gi t r oul mo 1 n input v ri 1 . h IN r 1 tion tw n BM 

n I i u u lly not fun tion 1 r 1 tion hip. hi r 1 tion t k into ount 

qu ntiz tion of v lu (i. . lo of ur y u to on tru ting i r t r p 

r nt tion of ontinuou qu ntity) n lr r w r in ur i ( .g. n / 

onv rt r tol r n ). 

O r f r to th Output Variables, utput v ri 1 r nr th nr ti 1 v ri 1 

whi lr mo 1 th v lu t y th oftw r . or x mpl if th oftw r t 

it in r gi t r to in i t th t trip lroul o ur th it oul mo 1 

n output v ri 1 . 

IC r f r to th Inner Controlled Variables, nn r ontroll v ri 1 r 

m th nr ti 1 v ri 1 whi lr r pr nt th oun ry ontroll v ri 1 for 

ontroll ri 1 ur y i t k n into ount. 
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Controlled variable accuracy ri r ng of v lu u h th t th r 

pon of th u y t m i r quir to qu 1 v lu whi h i within th t r ng 
roun th v lu ri y th i 1 r quir lr vior. or x mpl if 
oun ry ontroll v ri 1 ur y i ±0.1 n th i 1 r quir v lu 
of th ontroll v ri 1 t point in tim i 2.1 th n th r quir m nt 

r ying th t th u y t m m y r pon t th t tim with r ult whi h 

i ny on of th v lu in th r ng 2.0, 2.2 . with monitor v ri 1 

ur y ontroll v ri 1 ur y r ult in th ri ing t of 1 

low 1 lr vior . ny ign whi h xhi it on of th h vior llow i 
th r y m ting th r quir m nt . 

BC r f r to th Boundary Controlled Variables, lr r m th m ti 1 
v ri 1 whi lr mo 1 prop rti ing ontroll t th limit of th u y 

t m ing ri . or x mpl volt g pro u y th u y t m t th 
t rmin 1 lo k of th omput r oul mo 1 y oun ry ontroll 

v ri 1 . ot th t with oun ry monitor v ri 1 it i onv ni nt for 

th p i r writing th r quir m nt to giv h oun ry ontroll v ri 1 
n m whi lr r fl t th prop rty ing mo 1 y th o i t 1 on 
troll v ri 1 . lr CTOL r 1 tion tw n IC n BC i not fun tion 1 in 

on v lu in n inn r ontroll v ri 1 n r 1 t to m ny v lu in th 

orr pon ing oun ry ontroll v ri 1 . lr OUT r 1 tion tw n O n 

BC i not typi lly fun tion 1 in it t k into ount h r w r in ur i 

( .g. / onv rt r tol r n ). 

FC r f r to th Field Controlled Variables, h r m th m ti 1 v ri 1 
whi h mo 1 prop rti of th nvironm nt th t r ing ontroll . ypi lly 

th r i fun tion lr 1 tion hip CT RAN tw n BC n FC. fBC n FC 

r not th m v ri 1 th n th y t m 1 v 1 o um nt tion houl ri 
th tr n form tion tw n th m. 

oil tiv ly th v ri 1 FM BM n IM will r f rr to onitor 
ri 1 . imil rly IC BC n FC will r f rr to ontroll ri 1 . 



Monitored Variable Accuracy: f h oun ry monitor v ri 1 bin, 
h n ur y r quir m nt +aj/ — hi wh r a* 0 n bi 0 th n MTOL 

n r 1 tion ov r BM x IM u h th t (6m,irn) MTOL => 

( z {0,1,... )( i {1 ,...,n M )bm.i(z)-bi irm(z) bm.i(z) + a* . ( ) 



Controlled Variable Accuracy: f lr oun ry ontroll v ri 1 bci lr 
n ur yr quir m nt +Ci/ — dt wh r Cj 0 n di 0 th n CTOL n 
r 1 tion ov r IC x BC u lr th t ( ic , be) CTOL => 



( z {0, V,.. )( i {1 ,...nc ){ici(z) - di bci(z) id(z) + Ci) . (9) 
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4.1 Design Verification 

rom ig. th r r two “p th from BM to BC. h r t p th i vi 

IM n IC with MTOL REQ n CTOL. h on p th i vi I n O 
with IN SOF n OUT. or pr i ly wh n MTOL REQ n CTOL r 
ompo th y ri th REQUIREMENTS r 1 tion whi lr i th u t 
of BM x BC giv n y REQUIREMENTS MTOL REQ CTOL. 

imil rly wh n IN SOF n OUT r ompo th y ri th r 1 tion 

DESIGN ' IN SOF OUT BM x BC. 

ign v ri tion of fun tion 1 r quir m nt with tol r n i th n th 

pro of howing two thing 



DESIGN REQUIREMENTS , n (10) 

DESIGN i tot 1. (11) 

hu y (10) 11 h vior th t th ign m y xhi it r pr nt pt 1 

h vior or ing to th r quir m nt n y (11) th ign i n for 11 
po i 1 v lu of oun ry monitor v ri 1 . ot th t tog th r on ition 
(10) n (11) gu r nt th t REQUIREMENTS i tot 1 o th t th pt 1 
h vior of th y t m h n ompl t ly p i for 11 po i 1 monitor 
v ri 1 v lu . 



t m y th t th ign r o not w nt or n REQUIREMENTS to 

ompl t ( .g. in wh n th r r input om in tion th t r pliy i lly 

impo i 1 ) • hi h pp n wh n th y t m ing ontroll th “pi nt pi 
r tri tion on how th monitor v ri 1 n r 1 t to th ontroll 
v ri 1 . n th t n r 4 v ri 1 mo 1 of 11 thi i mo 1 y th r 1 tion 
NAT M x C. n th of th propo v ri 1 mo 1 w oul h v 

NAT BM x BC. n thi (11) oul r pi y th r quir m nt 

NAT REQUIREMENTS DESIGN . (12) 

to gu r nt th t (10) ing m t y non trivi 1 ign. 



4.2 The Simplified Sensor Trip Revisited 

or th impl n or trip x mpl in tion 3.4 AIT RAN n u to n 
th m pping from th phy i 1 pr ur in k to r 1 v lu n or output 
volt g whil CTRAN r 1 t th Tripped / N otT ripped v lu of f -PressTrip 
to th Open /Closed t t of phy i 1 r 1 y. h ± tol r n on th input u 

to th un rt inty in th n or n / onv r ion i mo 1 y MTOL n 

CTOL i ju t th i ntity m p u to th i r t n tur of th trip output, li 

r m ining m p REQ SOF IN n OUT r till mo 1 y th fun tion 
f -PressTrip PTRIP posreal2AI n th inv r oiTrip2bool r p tiv ly. 

ing p n nt typing p iliti th lo k omp ri on th or m 

Sentripl n r t t th ily prov th or m 




i pp i ion o un ion n ion ho 7 

n ipl THEOREM 

( ( u po , _ T ip 1 T ip) 

( ( u 2 (x po ) u — x u + ) 

T ip2 oo ( _ T ip( u 2, _ T ip 1)) 

T (po 2 ( u ), T ip2 oo(_ Tip 1)))) 



5 Conclusion 

h m in go 1 of thi pprhv n to provi in ight into how r 1 tion 1 
m tho n pt to in r th ir utility in pr ti 1 ppli tion . 

h v outlin fun tion 1 p i tion n v ri tion t hniqu for f ty rit 
i 1 oftw r upon th 4 v ri 1 mo 1 of 11 . impl x mpl w u 

to illu tr t th limit tion of fun tion 1 mo 1 n motiv t mo t xt n 
ion of th th ory to r 1 tion 1 tting th t w 11 th v ri 1 mo 1. h 

m in n t of thi mo 1 r n m nt of th r 1 tion 1 4 v ri 1 mo 1 i th t 
th m tho i intuitiv n y to u for oth r quir m nt p i tion n 

ign ription in ngin r typi lly pr f r to think in t rm of fun tion 

with tol r n wh n ling with f ty riti 1 ytm. 
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Abstract. We introduce the concept of an algebraic state machine. This is a 
state transition machine all parts of that are described by algebraic and logical 
means. This way we base the description of state transition systems exclusively 
on the concept of algebraic specifications. Also the state of an algebraic state 
machine is represented by an algebra. In particular, we describe the state spaces 
of the state machine by algebraic techniques, and the state transitions by special 
axioms called transition rules. Then we show how known concepts from 
algebraic specifications can be used to provide a notion of parallel composition 
with asynchronous interaction for algebraic state machines. As example we 
introduce a notion of object-oriented component and show how algebraic state 
machines can formalize such components. 



1 Introduction 

State machines are a useful concept for describing the dynamic behavior of systems. 
Many specification formalisms have been developed based on the concept state 
machines such as classical automata, I/O-machines [24], state charts [20] but also 
Unity [12] or TLA [23]. One of the problems with using state machines for 
describing complex systems is the large number of states that these systems have and 
thus must be specified. One way to avoid this problem is abstract away from all the 
states to a smaller number of higher level states. Many properties of the concrete state 
machine can then be formulated at and inferred from the higher-level model. 

In recent years, abstract state machines (formerly called evolving algebras) have 
been developed explicitly for the purpose of abstracting from the concrete states (see 
e.g. [6], [18, 19]). Abstract state machines have been successfully applied for 
modeling e.g. concurrent algorithms and the operational semantics of programming 
languages [19]. 

T. Rus (Ed.): AMAST 2000, LNCS 1816, pp. 89-118,2000. 
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One of the central ideas of abstract state machines is the use of algebras as the 
elements of the state space 1 . On these state spaces the state transitions are defined by 
a general form of assignment assigning a new algebra as interpretation to the 
signature such that in fact high level programs are written. Keeping this in mind 
abstract state machines are rather an abstract programming method than a 
specification method. In contrast, we are interested in an axiomatic specification 
technique in the following. Therefore we find it suggestive to work with algebraic 
specifications to specify the algebras of the state space. 

Algebraic specifications are a classical logical concept for axiomatising algebras. 
In this paper we show how the idea of algebras as the states of a state machine can be 
very straightforwardly supported by algebraic specifications. By this, the enormous 
work in the area of algebraic specifications (see, for instance, [31], [3]) is 
immediately available to support the specification of the state machines with algebras 
as states. We speak in the following of algebraic state machines. 

When dealing with large complex systems, it is not always appropriate to describe 
them by one large state transition system. In many cases it is more adequate to 
describe the system as composed of a number of smaller components that work in 
parallel and cooperate and communicate to achieve the required behavior. This 
suggests looking for a notion of composition of components that themselves may be 
described by state transition machines or again are decomposed into a system of 
cooperating subcomponents. For this purpose we need clear concepts of composition, 
cooperation, and communication. We work with a concept of (asynchronous) 
communication over channels. State transitions consume input from the input 
channels and produce output on the output channels. They can be abstracted into 
stream processing functions for which well-understood composition concepts are 
available. As an example for the power and flexibility of algebraic state machines we 
introduce a simple notion of object-oriented component defined by algebraic state 
machines over a class diagram. 

Along these lines we unify the idea of algebraic specifications and stream 
processing into networks of algebraic state machines. The main objective of this 
paper is to integrate the idea of algebras as state smoothly into well-understood 
concepts like algebraic specifications and stream processing components. 

The paper is organized as follows. In section 2 we introduce some basic notions of 
algebraic specifications such as signatures and algebras. In section 3 we introduce the 
basic idea of algebraic state machines. In section 4 we describe the syntactic and 
semantic structure of specifications for algebraic state machines. In section 5 we 
study three examples including a simple object model and class diagrams and discuss 
issues of structuring the state space. In section 6 we show how to carry over known 
ideas of abstraction and composition to algebraic state machines. In particular we 
define asynchronous parallel composition with feedback as a general basis for 
composing algebraic state machines. In section 7 we compare our approach with 
related work. In section 8 we conclude with a brief discussion on the significance of 
algebraic state machines. 



1 Actually this idea is not new; See, for instance, [15] or [16], 
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2 Signatures and Algebras 

Each model of a reactive system is based on a data model. Data models are used to 
represent the information and data structures needed to model the relevant aspects of 
an application domain and to provide the computing structures needed for 
representing the internal data of information processing systems. In general, most of 
the common data models capture mainly the structure of the data and their 
relationship, but not their characteristic operations. These, of course, should be an 
integral part of every data model. Along these lines we understand a data model 
always as family of data sets named by sorts together with their relationships and the 
basic characteristic operations and functions. 

From a mathematical point of view, a data model is a mathematical structure 
called a heterogeneous algebra. Such an algebra consists of a family of carrier sets 
and a family of functions each of which is named by an identifier. More technically, 
we assume a set S of sorts 2 (often also called data types or modes) and a set F of 
symbols for constants including function symbols with a fixed sort called the 
functionality of the constant determined by the mapping 

fct : F — > S 

The function fct associates with every symbol in the set F its sort. In the case of 
function symbols these are functional sorts that determine the domain sorts and the 
range sort of the function. We assume that the set of sorts S contains, besides basic 
sorts (such as Bool, Nat, etc.), also tuples of sorts (records) as well as functional sorts 
and even polymorphic sorts (see [27] for details). 

Both the sets S and F provide only names. The pair X = (S, F) together with the 
mapping fct that assigns sorts (also called functionalities) to the identifiers in F is 
often called the signature of the algebra. The signature is the static part of a data 
model and provides a syntactic view onto the data model. 

An algebra of the signature X, called a X-algebra, contains carrier sets for the 
sorts and elements for the function symbols. In every algebra A of the signature X = 
(S, F) we associate 

A 

• with every sort seSa carrier set s (a set of data elements) and 

• with every function symbol fe Fa constant or function i of the requested 
sort or functionality. 

An algebra gives meaning to a signature. It is the interpretation of a signature and 
can be seen as the semantic context of a data model. 

An algebraic specification describes a class of algebras in a property-oriented 
axiomatic way. A specification SPEC = (X, AX) consists of a signature X and a set of 
laws AX; the elements of AX are predicate logic formulas (with equality) over the 
signature X. An algebra is a model of SP if it has signature X and satisfies all laws in 



2 We believe, like many other computing scientists and software engineers that data sorts 
(typing) are a very helpful concept in modelling application and software structures. 




92 



Manfred Broy and Martin Wirsing 



AX. Structuring of specifications is achieved by so-called specification-building 
operators, which allow one to extend, rename and combine specifications in a 
compositional way (see [31, 27]). 



3 Algebraic State Machines 

A state machine with input and output consists of a state space State (a set of states), 
a set of input actions A in , a set of output actions A out , a (possibly non-deterministic) 
state transition function 

A: State x A in — > p (State x A out ) 

and, last but not least, a set of initial states State 0 c State. Here, p( M) denotes the 
power set over a set M. 

In our case we consider state machines that we connect by channels to their 

environment. Every channel has assigned a sort that characterizes the sort of 

messages that are sent along the channel. The set of input channels is denoted by I 

*1 

and the set of output channels is denoted by O. By I we denote the set of valuations 
of the channels in I by finite communication histories. These are the mappings 

v: 1 -» M* 

where M is the set of messages and M* is the set of finite sequences of messages. 
Of course, for every channel valuation v we require that for every channel cel the 
sequence v.c is a sequence of elements of sort M c where M c denotes the sort of the 
channel c. 

An algebraic state machine is a state machine where the state is an algebra. Given a 
signature 3 £ and a set Alg of E-algebras, an algebraic state machine is given by a 
state transition function 

A : Alg x 1 ^->fi (Alg xo'' ^) 

In addition we assume a set Algo £ Alg of algebras that are the initial states of the 
state machines. 

We describe algebraic state machines by techniques of algebraic specification. 
Loose algebraic specifications describe sets 4 of algebras and therefore are very well- 
suited for the description of the state spaces of algebraic state machines, which are 
exactly sets of algebras. 



3 In abstract state machines even the signature of the algebras in the state space may vary when 
performing state transitions. We do not consider this as an important feature since a change of 
the elements of a signature can always be encoded in a class of algebras with an universal 
signature. Note that the set of symbols used in a textual description (which is always of finite 
length) is always finite, anyhow. 

4 Formally speaking, the models form a class (in the mathematical sense) not a set. This is due 
to a foundational problem of axiomatic set theory which is, however, not important in our 
context. 
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4 Specification of Algebraic State Machines 

To describe algebraic state machines by logical axioms, we define a hierarchical 
signature structured in four layers including four sets of axioms. The signature 
defines the function symbols and sorts. The layers split the signature into static and 
dynamic parts. The static parts of the signature are the sorts and functions of the 
context specification that are used to form the state machine with the same 
interpretation in each state. In other words, the static parts never change in state 
transitions. They represent invariants of the system. 




Fig. 1 . Structure of the Specification Hierarchy of an Algebraic State Machine 



The specification of an algebraic state machine consists, in particular, of the 
following constituents (cf. Figure 1): 

- An algebraic specification B = (Z B , E B ) called the basic specification or the 
context', the context defines the fundamental sorts and functions on which the 
channels with their sorts and the dynamic part of the description of the 
algebraic state machine are based. It defines all the sorts and function symbols 
that we assume to be given in the environment in which the specification is 
used, and on which the specification is hierarchically based. 

- An interface signature Z I0 defining a set of input and a set of output channels, 
together with their sorts; the sorts are required to be introduced in the context 
specification B. 
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- An algebraic specification called the state space that defines the state space by 
a specification P = (Z p , E p ). It consists of a signature and a number of axioms. 
The state space of the associated state machine is the set of models associated 
with this algebraic specification. The state space specification is hierarchically 
based on the basic specification; moreover, it contains those axioms that are 
invariantly true for all algebras in the state space and dynamic function 
symbols whose interpretation may vary in the different states. P is supposed to 
be a conservative extension of the basic specification B (see [31]). 

- A set of axioms E Init that describe the properties of the initial states in addition 
to the static properties given by the state space specification P that hold for all 
algebras that are members of the state space. 

- A set of transition axioms E D of the form 

{Pre} ii:E 1; ..., i^Ek/o^Gi, ..., oj:Gj {Post} 
where 



- Pre is a logical formula over the state space, called the precondition, 

ij, ..., ik are input channels, and E | , ..., Ek are terms over the interface 
signature denoting sequences of the sort of the respective channel; 
together with the channels this is called the input pattern, 

- oj, ..., oj are output channels, and Gj, ..., Gj are terms over the interface 
signature denoting sequences of the sort of the respective channel; 
together with the channels this is called the output pattern, 

- Post is a logical formula over the signature of the state space including 
the (declared) identifiers of the state space also in a primed form; it is 
called the postcondition. 

The meaning of such an algebraic specification of a transition machine with input 
and output is rather straightforward. 5 The specification P defines a set of algebras that 
include the state space. These are those algebras of a signature that comprise the sorts 
and function symbols of the context as well as the sorts and function symbols of the 
state space and that satisfy the axioms of these two specifications. The interface 
signature defines k+j constants corresponding to the input and output messages on the 
channels. Given any model of P the values of the constants are computed by 
interpreting the terms E,,..., E k , G„ ..., G r 

The transition function of the state machine is defined by the transition axioms. 
The transition axioms define a logical relation between input and output messages 
involved in a transition as well as the given state and the successor state. Both the 



5 In section 6 we will refine this semantics. By abstracting from the state space we will 
associate a black box view with algebraic state machines which allows us to describe the 
cooperation of algebraic state machines. 
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state A and the successor state A' are represented by algebras which share a model of 
the context as common subalgebra. The primed function symbols refer to the 
functions of the successor state. 

The algebraic specification of a state machine should be structured into the layers 
given in Fig. 1 forming a proper hierarchy. Then they fulfil the following logical 
requirements. 

The state space axioms do not impose further logical properties onto the basic 
specification; the same holds for the axioms describing the initial state. 
Technically speaking, all layers shown in Fig. 1 except the top one are 
conservative extensions of the layers on which they are based. 

Of course what we have described so far is not a fully formal semantics but rather 
a sketch. ITowever, to give such a semantics is only an extended exercise in the 
semantics of algebraic specification and could be given as in [5] or [17] . Before we 
discuss the cooperation of algebraic state machines in networks we illustrate our 
approach by a few simple examples. 

For the syntax our specifications we choose the specification language 
SPECTRUM [27]. In contrast to other algebraic specification languages such as 
CASL [34] it has the advantage to offer polymorphic sorts and functions. 



5 Examples 

In this section we will study three examples: specifications of algebraic state 
machines for interactive sets, for a simple object model and for class diagrams. In 
each case we will give two specifications: one based on a classical algebraic 
specification of finite sets and stores, resp., and one more in the spirit of abstract state 
machines with (dynamic) functions as state attributes. 



5.1 Interactive Sets 

A simple example of a system that can well be modeled by a state transition system is 
a component that implements an interactive set in an object-oriented style. This is an 
encapsulated set that can be manipulated by message exchange, only. We start with 
the basic specification. It defines in a polymorphic style the algebra of finite sets. 



SPEC SET = 






{ sort Set a; 






0 : 


Set a; 


empty set 


_u 


Set a, a -> Set a; 


add, delete an element 


_=0 : 


Set a — > Bool; 


test for empty set 


_e_ : 


a, Set a -a Bool; 


element test 
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Set a generated by 0, u{}; generation axiom for finite sets 

0=0; ~ , (setu{x} =0); 

“■(x g 0); x g set u{x}; 

x g set => x g set u{y}; x^y=>xG set u{y} = x g set; 

0\{x} = 0; 

(setu{x})\{x} = set \{x}; x * y =>(set u{y})\{x} = (set \{x})u{y}; 

(setu{x})u{y} = (setu{y})u{x}; x g set => setu{x} = set; 

} 

This is a classical algebraic specification as it is well-known by now. We can form 
a state machine on top of this specification using the following specification of the 
messages arriving on the input channel (strictly speaking we have to introduce 
besides the constructors also selectors, but for sake of brevity we omit them here): 

SPEC INPUT = { sort In a = iselem(a) | add(a) | sub(a) | empty } 

The messages on the output channel are of the sort Bool. The following state 
machine has a very simple dynamic part with a state attribute s of sort Set a. It makes 
only a restricted use of the concept of algebras as states. 

SPEC SetASM = 

{ based_on SET, INPUT; 



interface: 


in: 


In a input channel; 






out: 


Bool output channel; 




state: 


s: 


Set a; 






initial: 


s = 0; 








dynamic: 


{true} 


in: empty 


/- 


{s' = 0 }; 




{true} 


in: iselem(x) 


/ out: (x g s) 


{s' = s}; 




{true} 


in: add(x) 


/- 


{s' = su {x}}; 




{true} 


in: sub(x) 


/- 


{s' = s \{x}}; 



} 

In the following, we introduce some abbreviations for frame axioms which ensure 
that the dynamic elements of the state space remain (almost) unchanged (see e.g. [35] 
for a discussion. For any f:T— >R, f , : T,— >R P ..., f : T n — >R n , a: T, a,: T„ ..., a k : T k we 
define: 
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f remains unchanged: f remains unchanged except for a: 

SAME(f) for Vxe T. f (x) = f(x) SAME(f-a) for Vxe T. x t- a => f (x) = f(x) 

f, /remain unchanged except for a,, a k , k<n: 

SAME(f,-a,, f k -a t , f t+l ..., f) for 

SAME(f r a,) a.. .a SAME(f k -a k ) a SAME(f ktl ) a.. .a SAME(f ) 

We now give a specification that makes more extensive use of the characteristics 
of algebraic specifications and algebraic state machines by choosing a function as 
state attribute. To achieve this we include the specification of sets into the dynamic 
part (and therefore we do not need SET as part of the base). 

SPEC SetASMl = 



basedon 


INPUT; 




interface 


in: 


In a input channel; 




out: 


Bool output channel; 


state: 


isel: 


a — > Bool; 




initial: 


isel(a) 


= false; 




dynamic: 


{true} 


in: empty 


/- {V aea: isel'(a) = false}; 




{true} 


in: iselem(x) 


/ out: isel(x) {SAME(isel)}; 




{true } 


in: add(x) 


/ - { isel’(x) = true a SAME(isel-x)}; 




{true} 


in: sub(x) 


/ - { isel’(x) = false a SAME(isel-x)}; 



Note that here the specification SET has become implicit. We have merged the 
specification of sets and that of the transition axioms. Formally each state of the state 
machine is a characteristic function isel which corresponds to a set. Therefore the 
notion of set is not explicitly present. 

Which of the two specifications SetASM and SetASMl we consider as being 
better structured is an interesting question. In SetASMl the fact that the state machine 
implements a set is rather implicit. The laws of interaction and of data manipulation 
are combined while in SetASM they are properly separated. The generation principle 
is replaced by the principle of reachability. Even, if the sort a is infinite, only those 
states can be reached where isel is true for a finite set of elements of sort a. A proof 
of this requires a reachability analysis or a proof using an invariant technique. 

Comparing SetASM and SetASMl semantically, we see that any model of the 
state specification of SetASM can be extended in a unique way by a function isel and 
vice versa any model of the state specification of SetASMl can be extended by an 
appropriate interpretation of the sort Set and the state attribute s. Thus the state 
specifications of SetASM and SetASMl implement each other (in the form of an 
Forget-ldentify implementation relation, see e.g. [31]). These implementation 
relations extend directly to the axioms for initial states and all parts of the transition 
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axioms. Thus SetASM and SetASMl are equivalent w.r.t. the Forget-ldentify 
implementation relation. 



5.2 A Simple Object Model 



As a more advanced example we define a simple object model by algebraic 
techniques. The specification OBJECTMODEL describes for given classes 
represented by the sort a and given attributes for each class (for each sort a) the 
object model in a polymorphic style. The sort Store denotes the set of object stores 
and the set Obj a denotes the set of object identifiers (references) for the class a. 
More precisely, a is a record sort of the attributes of the class. 

SPEC OBJECT MODEL = 



{ sort Store, Obj a; 

emptyStore: Store; 
update: Store, Obj a, a — > Store; 

newObj: Store, a -» Obj a; 

newObjStore: Store, a — > Store; 
valid: Store, Obj a — > Bool; 

deref: Store, Obj a —> a; 



empty store 

update of an object 

creation of an object 

storage allocation for a new object 

test, if object id is declared for a store 

dereferencing 



Axioms: 

Store, Obj generated by emptyStore, newObj, newObjStore; 



For the empty store: 

valid(emptyStore, r) = false; 



For selective update: 

valid(s, v) => valid(update(s, v, a), r) = valid(s, r) 

a deref(update(s, v, a), r) = if r = v then a else deref(s, r) fi; 



For object storage allocation: 
valid(s, newObj(s, a)) = false; 

valid(newObjStore(s, a), r) = (valid(s, r) v r = newObj(s, a)); 
valid(newObjStore(s, a), r) => 

deref(newObjStore(s, a), r) = if r = newObj(s, a) then a else deref(s, r) fi; 



Here Obj a is again a polymorphic sort. This means that for every sort M we may 
form the sort Obj M of the object identifiers of sort M. The operation newObj creates 
a new (anonymous) object identifier and newObjStore allocates the necessary storage 
for the new object. The operation valid tests if an object identifier is declared for a 
store; update(s, v, a) updates the object identifier v in object store s by the value a. 
Note that update is well-defined only for valid object identifiers. 
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The following two specifications introduce the sort Method and the sort 
Response. The elements of sort Method are input to the object store while the 
elements of sort Response are the output of the object store for method calls. Again 
Obj a stands for the polymorphic sorts of objects (or more exactly of object 
identifiers). Again we omit to introduce the selector functions, that we would need to 
give a proper specification of these simple sorts. 



SPEC METHODS = 

{ sorts Obj a; Method = create(a) | upd(Obj a, a) | der(Obj a); } 

SPEC RESPONSES = 

{ sorts Obj a; Response = ob(Obj a) | res(a); } 

Finally we are ready to define the algebraic state machine based on these 
specifications above. It is given by the following specification: 

SPEC ObjASM = 

{ based_on OBJECT_MODEL, METHODS, RESPONSES; 



interface: 


in: Method input channel; 

out: Response output channel; 




state: 


s: Store; 




initial: 


s = emptyStore; 




dynamic: 

{true} 


in: create(a)/ out: ob(newObj(s, a)) 


{s' = newObjStore(s, a)}; 


{valid(s, b)} 


in: upd(b, a)/ out: - 


{s' = update(s, b, a)}; 


{valid(s, b)} 


in: der(b) / out: res(deref(s, b)) 


{s' = s}; 



Again the specification is rather straightforward. It follows closely the scheme 
defined in [11]. 

The specification ObjASM describes the state transition function of the algebraic 
state machine for objects. The state transition diagram shown in Fig. 2 visualizes it. 

In this specification the fact that an object is valid is a stable property. If an object 
gets valid it remains valid forever. There is no way to eliminate an object. This 
diagram in Fig. 2 is a schematic description of the life cycle of a single object. Of 
course, it is not difficult to specify a more refined object model where objects can be 
deleted meaning that object identifiers can be made invalid. 
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So far the example is again not using the full power of algebraic state machines 
since again the dynamic part consists only of a variable s of sort Store. However, 
making more explicit use of the concepts of algebraic state machines we may 
eliminate the sort Store completely and replace it by the following algebraic state 
machine ObjASMl where we encode the store by using the functions valid and deref 
as state attributes. The state machine is based on the specification 
OBJECTMODELl which introduces an infinite polymorphic sort Obj a of object 
identifiers. 

SPEC OBJECT MODELl = 

{ based onSET; 

sort Obj a; 

V sete Set Obj a: 3 ae Obj a: — i(ae set); Obj a is infinite 



The invariant (axiom) of this specification expresses that there is an infinite 
number of elements of sort Obj a for each sort a. Note that Set a is the sort of finite 
sets. 

Then the algebraic state machine is specified as follows: 



SPEC ObjASMl = 

{ based_on OBJECT MODELl, METHODS, RESPONSES; 

interface: in: Method input channel; 

out: Response output channel; 

state: valid: Obj a — > Bool; test, if an object id is declared 

deref: Obj a — > a; dereferencing 

V r e Obj a. valid(r) = false; 



initial: 
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dynamic: 

{valid(obj) = false} in: create(a) / out: ob(obj)) 

{valid} obj) = true a deref(obj) = a a SAME(valid-obj, deref-obj)}; 

(valid(b)} in: upd(b, a) / out: - { deref(b) = a a SAME(valid, deref-b) }; 

(valid(b)} in: der(b) / out: res (deref(b)) { SAME(valid, deref) } ; 

} 

In this specification the generation principle for object identifiers is hidden; it is 
implicitly captured by the reachability principle of state machines. Whether this 
improves the readability of specifications is doubtful. An even more consequent use 
of algebraic state machines forgets about the function valid and uses the sort Obj a in 
a nonstatic way. However, this gets into conflict with the fact that the elements of sort 
Obj a are part of input and output messages. Therefore it is better to think about a 
universe of objects represented by Obj a and a finite set of objects valid in a state 
represented by the predicate valid. 

When using algebras to represent the elements of the state space, it is a critical 
question which parts of the algebras should be the same in all states. For instance, 
should we allow to associate different carrier sets to sorts in successive states? 
Allowing this it is very difficult to relate the functions of these carrier sets. 

Comparing ObjASM and ObjASMl, one can easily prove as in the case of 
interactive sets that ObjASM and ObjASMl are equivalent w.r.t. the Forget-ldentify 
implementation relation. 



5.3 Class Diagrams 

Our next example is an instantiation of the object model for simple object-oriented 
components defined by algebraic state machines over class diagrams. For simplicity 
we show this for simple class diagrams consisting of classes and associations. The 
approach can be easily extended to cope also with inheritance by using the techniques 
of [2]. A main feature of our approach is that it integrates the semantics of class 
diagrams with the specification of the behavior of objects by initialization 
constraints, invariants and pre- and postconditions. 

First we define the semantics of class diagrams. Consider the class diagram in Fig. 
3; the diagram defines a class C with an association to class D; mult e {1, *} denotes 
the type of the association; at,: M,, ..., at k : M k are the attributes of C, m,, ..., m r are the 
methods of C with formal parameters N,, ..., N r and result types R,, ..., R r ; role is an 
identifier for an association end. 

Corresponding to the two object models of the previous section we give two 
different translations of the class diagram into algebraic state machines by 
instantiating 

(i) ObjASM, i.e. by axiomatizing the store algebraically, and 

(ii) ObjASMl, i.e. by encoding the attributes as functions into the state space. 
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C 


mult 


D 


ati: Mi 






role 




mi(Ni):Ri 





Fig. 3. Class diagram 



First, we define the algebraic specification CBASEl (of case (ii)) by extending 
OBJECTMODELl as follows. 

C BASEl is based on the specifications of all basic types such as INT. For each 
class C we introduce two sorts 

CRecord representing the record sort of the attributes 

and the association roles of C 

C = Obj CRecord representing the object identifiers of C 

Elements of the sort CRecord are constructed using the function symbol 
c: M„ M t , E CRecord 
where 



r Set(D) if mult = * 



E= J 



D if mult =1 

To define CBASE (case (i)) we further extend C BASEl by the sort Store and 
the selectors and updates for the attributes (similar to the specification 
OBJECT MODEL). The association is represented as an attribute of C: 

at: Store, C — > M., updAt: Store, C, Nl — > Store, i = 1, ..., k 

role: Store, C — > E, updRole: Store, C, E — > Store, 

with the axioms 



deref(s, x) = c(m„ ..., m„ m k , e) => 

at(s, x) = m. a updAt(s, x, a) = update(s, x, c(m p ..., n p ..., m k , e)) 
a role(s, x) = e a updRole(s, x, e,) = update(s, x, c(m p ..., m t , ej)) 



The methods specialize the specifications METFIODS and RESPONSES. Instead 
of polymorphic functions we specialize the names of create, ob and res by the 
appropriate class name and use ”res_C” instead of ”ob C”. 
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SPEC C METHODS = 

{ based_on C_BASE1; 

sort CMethod = createC(M,, M t , E) | m^N,) | ... | m r (N) } 

SPEC CRESPONSES = 

{ based_on C_BASE1; 

sort CResponse = resT^T,) | ... | res_T m (T m ) 

where T p ..., T m are the elements of the set {C, R„ ..., R r }\{Void}; } 

For example, if r is a term of sort R p then res_R,(r) is a term of sort CResponse. 

In the following we consider as example a simple class diagram for bank accounts 
(see Fig. 4) and specify it using the techniques above. Moreover and more 
importantly, we use our specification technique of algebraic state machines to add 
two kinds of constraints to the diagram: invariants and pre- and postconditions. 



Account 


* 1 


Person 


current: Int 




accounts owner 


transact(Int): Void 
balanced: Int 


getAccounts(): Set Account 



Fig. 4. Simple class diagram 

The class diagram consists of two classes Account and Person which are related by 
an association. The class Account has an attribute current indicating the current 
balance of the account and two operations transact and balance for changing, and 
querying the balance. The class Person has the method getAccounts that computes the 
set of accounts of a person. The association relating both classes is of a type one-to- 
many: an account has exactly one owner whereas a person may posses several 
accounts. For simplicity, we omit further attributes and operations of both classes. 

According to the translation schema (ii) above the class diagram of Fig. 4 induces 
automatically the following specification APBASEl that introduces sorts and 
operations for the object identifiers and (records of) attributes and association values 
of class Account and Person. 



SPEC AP BASEl = 

{ based_on OB JECT MODEL 1 , INT; 
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sort PersonRecord, AccountRecord; 

Person = Obj PersonRecord; 

Account = Obj AccountRecord; } 

The specification APBASE extends APBASEl by constructor, update and select 
operations. 

SPECAPBASE = 

{ based_on C_BASE1; 
sort Store; 

Constructors: 

person: 
account: 

Selectors and updates: 
accounts: 

current: 
owner: 

updAccounts: 
updCurrent: 
updOwner: 

Axioms: 

deref(s, p) = person(set) => 

accounts(s, p) = set 

a updAccounts(s, p, setl) = update(s, p, person(setl)); 

deref(s, a) = account(c, p) => 

current(s, a) = c a owner(s, a) = p 
a updCurrent (s, a, cl) = update(s, a, account(cl, p)) 
a updOwner (s, a, pi) = update(s, a, account(c, pi)); 



Set Account — > PersonRecord; 

Int, Person — > AccountRecord; 

Store, Person — > Set Account; 

Store, Account -4 Int; 

Store, Account —> Person; 

Store, Person, Set Account — » Store; 
Store, Account, Int — > Store; 

Store, Account, Person — > Store; 



The instantiation of method and response specifications is as follows. For the 
create operations we assume standard initial values for most arguments. The 
operation transact introduces input messages of the form of a method call 
acc.transact(m) where ace denotes an object (identifier) of class Account and m an 
integer. Similarly the operations balance) ) and getAccounts) ) introduce incoming 
method calls of the form ace. balance) ) and p.getAccounts) ). As responses we 
introduce messages which carry a value as an argument; e.g. res_lnt(3) is a message 
carrying the value 3. 

SPEC AP METHODS = 

{ based_on AP BASEl; 
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sort APMethods = createAccount(Person) | createPerson() 

| Account. transact(lnt) | Account.balance( ) | Person. getAccounts( ); } 

SPEC AP RESPONSES = 

{ based_on AP BASEl; 

sort APResponse = resAccount(Account) | resPerson(Person) 

j res_Int(Int) | res_Set_Account(Set Account); } 

Now we are ready to instantiate the algebraic state machine ObjASM. The one-to- 
many relationship induces an invariant relating the roles of owner and accounts 6 : if a 
person p is the owner of an account acc then acc is an element of the accounts 
attribute of p, and vice versa. 

Moreover, we specify requirements which are not expressed in the class diagram: 
an invariant for the balance of any account, initial states, the behavior of the methods. 
As invariant we require that accounts can not have a negative balance. The behavior 
of all methods is specified using pre- and postconditions. Note that the method 
transact has a non-trivial precondition in order to ensure the preservation of the 
invariant. 

SPEC AP_ASM = { 

based_on APBASE, AP METHODS, AP RESPONSES; 

interface: in: AP Methods input channel; 

out: AP Response output channel; 

state: s: Store; 

invariants: V acce Account, pe Person. valid(s, acc) a valid(s, p) => 
currents, acc) > 0 a balance requirement 

(acceaccounts(s,p) <=> p = owner(s,acc)); one-to-many ass. invariant 

initial: s = emptyStore; 

dynamic: 

{accounts(s, p) = set a account(0, p) = a} 

in: createAccount(p) / out: res_Account(newObj(s,a)) 

{s' = updAccounts(newObjStore(s, a), p, set u{newObj(s,a)}}; 

{true} in: createPerson( ) /out: res Person (newObj(s, person(0))) 

{ s' = newObjStore(s, person(0))}; 

{current(s, acc) = x a x+m > 0} in: acc.transact(m) / out: - 

{ s' = updCurrent(s, acc, c+m) }; 

{current(s,acc) = x } in: acc.balance( ) / out: res_Int(x) {s' = s}; 



This invariant could be automatically generated from an extended translation schema. We 
have omitted this here for reasons of space. 
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{accounts(s,p) = set} in: p.getAccounts( ) / out: res_Set_Account(set) 

{s' = s}; 



The translation schema (ii) induces an algebraic state machine specification 
AP ASM1 with the same interface as APASM and APBASEl, APMETHODS 
and APRESPONSES as base specifications. The function valid and the attributes 
accounts, current, owner describe the state space. The pre- and postconditions of the 
transition axioms make extensive use of the frame axioms. By assuming these axioms 
implicitly we could considerably simplify the specification. 

SPEC AP_ASM1 = { 

based_on AP BASEl, AP METHODS, AP RESPONSES; 



interface: in: 


AP Methods 


input channel; 


out: 


AP Response 


output channel; 


state: valid : 


Obj a -4 Bool; 


test, if an object id is declared 


accounts: 


Person — > Set Account; 


current: 


Account Int; 




owner: 


Account -y Person; 





invariants: V acce Account, pe Person, valid(acc) a valid(p) => 
current(acc) > 0 a balance requirement 

(acce accounts(p) <=> p = owner(acc)); one-to-many association invariant 

initial: V acce Account, pe Person, valid(acc) = false a valid(p) = false; 

dynamic: 

(valid(acc) = false a accounts(p) = set} 

in: createAccount(p) / out: res_Account(acc) 

{valid’(acc) = true a current’ (ace) = 0 a owner’(acc) = p a 
accounts’(p) = setu{acc} a 

SAME(valid-acc, current-ace, owner-ace, accounts-p)}; 

(valid(p) = false} in: createPerson( ) /out: res Person(p) 

{ accounts ’(p) = 0 a SAME(valid, current, owner, accounts-p) }; 

(valid(acc) a current(acc) = x a x+m > 0} in: acc.transact(m) / out: - 

{current’ (ace) = x+m a SAME(valid, current-ace, accounts, owner)}; 

{valid(acc) a current(acc) = x} in: acc.balance( ) / out: res_Int(x) 

{ SAME(valid, accounts, current, owner) }; 

{valid(p) a accounts(p) = set} in: p.getAccounts( )/out: res_Set_Account(set) 

{ SAME(valid, accounts, current, owner) } ; 
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As for the previous examples we can prove that AP ASM and AP ASM1 are 
equivalent w.r.t. the Forget-ldentify implementation relation. 

This example demonstrates that we can extend our method step by step into a full 
blown object oriented modeling technique in a very transparent and straightforward 
way. Everything we introduced is strictly covered by our basic model. 



6 Composing Algebraic State Machines 

Algebraic state machines are only a special case of state machines with input and 
output. Therefore we can associate a black box view with algebraic state machines as 
shown in [9] and compose them as defined in [10]. In the following we give a black 
box behavior semantics of state machines and show how to compose algebraic state 
machines. 



6.1 Black Box View 

We are interested in system models that allow us to represent systems in a modular 
way. We think of a system as being composed of a number of subsystems that we call 
components. Moreover, a system itself is a component again which can be part of a 
larger system. A component is a self-contained unit that encapsulates a hidden state 
with a clear cut interface. Via its interface it is connected with the environment. In 
this section we introduce a simple, very abstract mathematical notion of a system 
component. 

For us, a (system) component is an information processing unit that communicates 
with its environment through a set of input and output channels. This communication 
takes place in a (discrete) time frame. 




Fig. 5. Graphical Representation of a Component as a Data Flow Node with Input Channels 
ii, i n and Output Channels Oi, ... , o m and their respective sorts Mi, ... , M n and Ni, ..., N m 

In software engineering, it is helpful to distinguish between a black box view and a 
glass box view of a component. In a black box view we are only interested in the 
interface of a component with its environment. For this we have to describe the causal 
dependencies between the input and the output messages. In a glass box view we are 
interested in the internal structure of a component, which can either be given by its 
local state space together with a state transition relation or by its decomposition into 
subcomponents. We first give a model for the black box view. 
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Let X I0 be the interaction interface signature (see Section 4) with a set of input 
channels and a set O of output channels. For simplicity, we use just one set M of data 
sorts for messages on the channels in the sequel in order to keep the presentation 
simple. A graphical representation of a component with its syntactic interface is 
shown in Fig. 3. 

Let M be a sort of messages and signals. By M* we denote the set of finite 
sequences over the set of messages M, by M” we denote the set of infinite sequences 
over the set of messages M. By ' we denote the concatenation of sequences. The set 
M°° can be understood to be represented by the total mappings from the natural 
numbers N into M. Formally we define the set of timed streams as follows (we write 
S“ for the function space N + — > S and N + for N\{0}). 

M x = def (M*r 

By () we denote the empty stream, by (m) the one-element stream, by (m^ ... mj,) 
the stream of length k with the elements m^, ..., m^. For every set of channels C, 
every mapping v: C — > M provides a complete communication history. Note that (C 
— > M*)°° and C — > (M*)°° are isomorphic. 7 

We denote the set of the valuations of the channels in C by infinite timed streams 



C — > M* by CT\ 

For every number i e N and every stream x e M* we denote by x 1 i the 
sequence of the first i sequences in the stream x. It represents the observation for the 
communication over the first i time intervals. By 

x e M* u M°° 

we denote the finite or infinite stream that is the result of concatenating all the 
finite sequences in the stream x. This sequence x is finite if and only if only a finite 
number of sequences in x are nonempty. Going from the stream x to x provides a time 
abstraction. In the stream x we can find out in which time interval a certain message 
arrives, while in x we see only the messages in their order of communication without 
any indication of their timing. 

We use both notations xi and x as well as the concatenation introduced for 
streams x also for tuples and sets of timed streams by applying them pointwise. 

As an example we consider the bank account machine APASM of section 5.3. 
We fix a model A of the (sum of the) context specifications APBASE, 
APMETFIODS and APRESPONSES. Then the set of input messages is given by 
the interpretation AP_Method A of the sort AP Method in A, the set of output 
messages is AP_Responses A . Note that A is also a model of the context specification 
of AP_ASM1; in particular, the sets of input and output messages are the same. 



7 Moreover, the set M* is isomorphic to the set of streams over the set M u {V} which contain 
an infinite number of time ticks (here V denotes a time tick; we assume V g M). 
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(AP_Method A *)“ is the set of timed infinite input message streams, 

1~*= {in} — > (AP_Method A *)“ is the set of valuations of the input 

channel in by infinite timed method 

streams, 

I 1 * 1 = {in} -4 AP_Method A * is the set of valuations of in by finite 

timed method streams. 

An example for a finite input stream v e I 1 * is given by 

v(in) = ( al.balanceO al.transact(-50) al.balance()) 

where al e Account 4 . An infinite timed stream xe I - * may start with v(in) for the 
first time unit, contain no message during the second time unit, and then have another 
balance request and so on: 

x(in) = (v(in) () (a2.balance()) ... ) 

Fig. 5 describes the syntactic interface of a component with the input channels ij, 
..., i n of the sorts Mj, ..., M n and the output channels oj, ..., o m of sorts Nj, ..., N m . In 
the theoretical treatment we assume for simplicity always the same sort M. 

We represent the behavior of a component with the set of input channels 1 and the 
set of output channels O by a set-valued function: 

F-.r^p(o^) 

This function yields the set of output histories F.v for each input history v. Given 
the input history v a component with the behavior F produces one of the output 
histories in F.v. We write F.v for F(v) to save brackets. 

Only if a set-valued function on streams fulfils certain properties we accept it as a 
representation of a behavior of a component. To give a precise definition of these 
requested properties we introduce a number of notions for set-valued functions on 
streams. A function 

F:r^ p(<T) 

is called 

• timed, if for all i e N we have 

VsU = ZxU => F(v)sU = F(z)xU 

Then the output in the time interval i only depends on the input received till the 
i'th time interval. In the literature a function F with this property is called a 
causal function, too. 

• time guarded , if for all i e N we have 

vii = ZxU => F(v)xU+l = F(z)xU+l 

Time guardedness assumes in addition to timedness that reaction to input is 
delayed by at least one time unit. 
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• realisable, if there exists a time guarded function s f :/“*—> CT* such that for all 
input histories v we have: 

f.v g F.v 

By [F] we denote the set of time guarded functions f with f.v e F.v for all x. 

• fully realisable, if for all input histories v we have: 

F.v = {f.v: f e [F]( 

We assume in the following that stream processing functions that represent the 
behaviors of components are always time guarded and fully realisable. 

We define a state transition machine by a state transition function 

A : State x 1^ — > p (State x 

and a set 

Stateo c State 

of initial states. 

In the case of algebraic state machines State and State 0 are sets of algebras. Given 
a specification (B, (1,0), P=(X,E), (E Init , EJ) (see section 4) we have 

State = Mod(P), State 0 ={Ae Mod(P) | A |= E Init }, 

and A relates all those algebras of Mod(P) which satisfy the axioms E D . 

For example, let A1 be a model of the state part of AP ASM which has (at least) 
two accounts al, a2 g Account AI such that for instance currents, al) A1 = 143 and 
currents, a2) A1 = 20. Then A ap asm (A1, v) (where v is the three element stream defined 
above in this section) consists of a state algebra A2 and a stream wg O 1 * 1 such that A2 
differs from Al only in the value of currents, al) and 

currents, al)" = 93 a w.o = (res_Int(143) res_Int(93)) 

A state transition machine is nondeterministic, in general. In each transition step it 
takes a state and a communication pattern of its input streams and produces a 
successor state and a communication pattern for its output streams. For this kind of 
state transition machines, we represent the set of possibly updated states and outputs 
of a transition with the help of a predicate. Of course, sets of pairs of states and output 
patterns can be used here directly. A state machine models the behavior of an 
information processing unit with input channels from the set I and output channels 
from the set O in a time frame as follows. Given a family of finite sequences v g I 1 * 1 
representing the sequence of input messages x(c) received in a time interval on the 
channel c g I of the component in state og State, every pair (o', y) in the set A(o, x) 
represents a possible successor state and the sequence of output messages y(c) 
produced on channel c g O in the next time interval. 



8 Since functions can be seen as a special case of set valued functions where the result sets 
contain exactly one element, the notion of time guardedness extends to functions. 
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We associate a stream processing function with a state machine that is given by 
the transition function A using the following definition. More precisely, we associate 
a time guarded function F c with every state a g State as defined by the following 
equation: 

FaM ={ye CW: 

(3 i g l 1 * 1 , o g O 1 * 1 , o' g State, x' g y'G O 

y = o"y' ax = i" x' a (o', o) g A(o, i) a y' g F 0 '(x')) v 
(V i g I 1 * 1 : i < x => V o g O 1 * 1 , o' g State: -■(o', o) g A(o, i))} 

Here < denotes the prefix relation on streams. If the state transition relation 
contains cycles then the definition of F 0 is recursive. In this case, we cannot be sure 
that by the equation above the behavior F 0 is uniquely specified. Therefore we define 
F 0 by the largest (in the sense of pointwise set inclusion) time guarded function that 
fulfils this equation. 

The first (existentially quantified) part of the left-hand side of this defining 
equation handles the case where at least one of the input patterns applies. The second 
part treats the case where for the input stream x none of the input patterns applies. 
This case is mapped onto arbitrary output called chaos 9 . This definition is justified by 
the principle that, if nothing is specified for an input pattern, the system may react by 
arbitrary output. This definition, moreover, guarantees that the function F c is always 
fully realizable. 

If we do not want to associate a chaotic, but a more specific behavior with input 
situations where no input pattern applies, we can work with default transitions (for 
instance time ticks) or simply drop the second clause in the definition. Working with 
chaos, however, has the advantage that adding input patterns for input for which no 
pattern applied so far is a correct refinement step in the development process. 

When dealing with states that are algebras A we rather write [A] a instead of F A . As 
an example we consider the stream processing function [APASM] associated with 
APASM. Let Al, x, v, w, be as above. The function 

[AP_ASM] a1 : {in} ->-»#?( {out}"*) 

abstracts from the states. For the timed stream x we get a result y g {out}^ of the 
form 



( 0 (res_Int(143) res_Int(93) ) () (res_Int(20) ) ... ) 

where the results are delayed by one time unit. Applying [AP_ASM] a1 to a stream 
xl of the form 

((a2.balance()) (a2.transact(-30)) ... ) 

leads to chaos beginning with the third time unit; the result streams z have the 
form 



9 If no input pattern applies we assume that a specific behaviour is not required. 
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z(out) = (()...( res_lnt(20) ) A y(out) ) 

where y(out) is an arbitrary element of (AP_Responses A *)“. 

Because of the one-to-one correspondence of the states of (the models of) 
AP ASM and AP ASM1, it is easy to see that the stream semantics of both 
specifications are the same. 

Our model of the behavior of a component works with timed input and output 
streams. Since the input and output patterns of algebraic state machines do not refer 
to the timing of the messages, in the definition we work with time abstractions of the 
input and output streams. 

Note that we can give along these lines a precise treatment for sophisticated 
concepts like priorities and spontaneous transitions due to our carefully chosen 
semantic model that includes time. Without an explicit notion (at least on the 
semantic level) of time a proper semantic treatment of priorities or of spontaneous 
reactions is difficult or even impossible. 



6.2 Composition 

When modeling systems and system components the composition of larger systems 
from smaller ones is a basic structuring technique. We consider only one basic 
composition operator for asynchronous interaction, namely parallel composition with 
feedback. It comprises sequential composition, parallel composition, and feedback as 
special cases. As well known these three composition operators suffice to formulate 
all kinds of networks of reactive information processing components, provided we 
have simple components available for permuting and copying input and output lines. 

We work with channels and this makes it very simple to form networks. We only 
have to choose the names of the channels such that each channel occurs at most for 
one component as an input channel and at most for one component as an output 
channel. These all may be composed by the parallel composition with feedback as 
specified formally below. 




Fig. 6. Parallel Composition with Feedback 



To define the parallel composition with feedback let ASM1 and ASM2 be two 
algebraic state machines of the form 
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(B j ,(I j ,O j ),P j = (X j ,E j ),D j ) j = 1,2 

with base specifications 13. input channels L, output channels C), state 
specifications P, and dynamic parts D. 

We assume for the channels 

0,n 0 2 = 0, 0,n I, = 0, 0 2 n I 2 = 0, 

and for the signatures of P | that the non-basic function symbols of P, are disjoint 
from all function symbols of P, and vice versa. 

Then the input and output channels of the composed specification are given by 

I = def (I,\0 2 ) u (I 2 \0,), O = JO,\I 2 ) u (0 2 \I,). 

The state space specification P is the sum of P, and P 2 : 

P E,UE 2 ) 

Then the composition ASM1 0 ASM2 is semantically defined as stream processing 
function 

[ASM1 0 ASM2] : Mod(P) [1^ p( CT)] 

where Mod(P) denotes the set of models of P and the data sets of I - * and CW 
depend on the chosen common subalgebra of the models of P. 

For any ^uS^-algebra AeMod(P) and any timed infinite stream xel^ we define 
(with the valuation ye C where C = ^uLyjC^uOj): 

[ASM1 0 ASM2] a (x) = 

{y|0: x = y 1 1 a y | O, = [ASM1] a|£1 (y 1 1,) a y | 0 2 = [ASM2] A|22 (y 1 1 2 ) } 

Here by y | O we denote the restriction of the valuation mapping ye C to the 
channel set OcC. 

To give an example we modify the algebraic state machine APASM for accounts 
to give a bonus for certain transactions. The machine AP_ASM2 renames the 
channels in and out of AP ASM into in, and out, and introduces an additional input 
channel out and an additional output channel in (see Fig. 7). if a message 
acc.transact(m) arrives at input channel in, then depending on a boolean value 
arriving at channel out a bonus is added to the account acc. 

SPEC AP_ASM2 = 

{ based_on AP_ASM[in — > in,, out — > out,]; 

interface: out: Bool input channel; 

in: In Int output channel; 

dynamic: 

{m > 0 a currents, acc) = c } 

in,:acc.transact(m), out: true / out,: res_Int(m div 10), in: iselem(c+m) 

{s' = updCurrent(s, acc, c+m+m div 10) }; 
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Fig. 7. Refined Account ASM with Bonus 

To get a bonus component we compose AP_ASM2 with the machine for finite sets 
SetASMl (see Fig. 8). 

The bonus component is given by 

AP ASM2 <g> SetASM 




Fig. 8. Parallel Composition with Feedback 



Its interaction interface is ({in,}, {out,}). The context is given by the specifications 
SET, INPUT, APBASE, AP METHODS, APRESPONSES. The state space 
consists of two constants si: Set Int, s2: Store and the corresponding invariants. 

For any model A of the state space specification and any timed input stream 
xg [in, }^ we get (yG C where C = {in,, out,, in, out}) 

[AP ASM2 ® SetASM] A (x) = {y | {out,}: 

x = y | {in,} a 

y | {out,, in} = [AP_ASM2] A (y | {in,, out}) a 
y | {out} = [SetASM] A (y | {in}) } 

For example, if the timed input stream begins with 
(al.transact(m) AI ) 
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in a state A1 with current(s2, al) AI = 134 and 134+m e sl AI , then the next element 
of the output stream is (res_Int(134+134 div 10)); this means that the account al got 
the bonus 13. If on the contrary, 134+m i sl AI then no bonus is given. 

Note that the composition of AP_ASM2 with Set ASM 1 has the same set of state 
transition functions as AP ASM2 ® SetASM. More generally, one can show that the 
parallel composition operator preserves implementation equivalence: parallel 
composition is compositional! 



7 Related Work 

The design of algebraic state machines was influenced by several specification and 
design approaches: abstract state machines [18, 19], automata and (classical) state 
machines [7], component specifications based on stream processing functions [11]. 
The object-oriented instance of algebraic state machines was developed based on our 
experience with UML [26]. 

The idea of algebras as states goes back at least to Gaudel [16] and Ganzinger [15]. 
Gaudel proposes in her thesis two kinds of operations on algebras, access functions 
and modifiers. This approach is continued, applied and formalized e.g. in [13], [17]; a 
similar approach is proposed by [Astesiano, Zucca 95] in terms of a new 
mathematical structure, called “d-oid”. [15] considers modules as algebras and 
introduces operators for updating and iterating algebras, - a concept which was earlier 
used in category theory (cf. e.g. [14]). 

The abstract state machines of Gurevich [18] use similar concepts: the state of an 
abstract state machines is an algebra and there is a fixed assignment operation which 
allows one to update carrier sets and function symbols. The main difference to 
algebraic state machines is the concept of communication. Abstract state machines 
are based on synchronous communication; in each computation step all enabled rules 
must also fire synchronously. Algebraic state machines are based on asynchronous 
communication; messages are exchanged asynchronously over communication 
channels. Moreover, updating an abstract state machine is similar to assignment in 
imperative languages and not connected with interface signatures as in algebraic state 
machines. Another difference is that Gurevich uses a model-oriented and not an 
axiomatic approach. Abstract state machines are not meant to be formalized in a 
particular logic but should be used in a rigorous (not completely formalized) way. 

The use of pre- and postconditions and invariants goes back to Hoare [22] and is 
well established in programming and design. Good examples are Eiffel [25] and OCL 
[32] and its use in object-oriented development with UML [30]. 

Algebraic state machines are similar to I/O-automata [24] in the sense that they also 
support different input and output channels. However, they generalize I/O-automata 
by admitting highly structured states with (dynamic) operations as attributes. The 
same holds for other classical automata types (see. e.g. [7]). Also the notion of states 
in statecharts [20] does not support operations as attributes. Simple transitions of 
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statecharts correspond to transitions of algebraic state machines with one input and 
one output channel as follows. 

The guard of a statecharts transition is expressed by the precondition, the input 
signal corresponds to the message on the input channel, the actions are expressed by 
the post condition using the function symbols of the context specification. 
Concurrency in algebraic state machines is expressed by parallel composition of 
machines and not by concurrent substates as in statecharts. 

Another major difference is that automata and statecharts are not suited to specify 
data whereas algebraic state machines support data type and behavior specification in 
an integrated way. 

An algebraic state machine can be seen as a component specification with an 
interface given by the interface signature together with the appropriate input and 
output message specification and an internal behavior specification given by the state 
machine transitions. In this sense algebraic state machines are similar to component 
specifications in ROOM [28] or UML-RT [29] which allow one to define interfaces 
and behavior using statecharts. Algebraic state machines could be used as a formal 
extension (and as a semantic foundation) of ROOM diagrams. 



8 Conclusion 

We have demonstrated a straightforward way to base the idea of abstract state 
machines on algebraic specifications. Of course, the notation is not the most concise, 
convenient one and could and should be considerably be streamlined. We may 
improve its readability for instance, by the introduction of diagrams and tables. 
Furthermore, we have shown how to combine it to two other fundamental ideas 
namely class diagrams and stream processing functions. Without much technical 
overhead this leads to a quite interesting compositional specification method for 
interactive distributed systems. 

One critical issue remains. Is it better for the readability of specifications and for 
their formal analysis to separate the description of the state space and its invariants as 
much as possible from the dynamic part? We think yes. We believe it is much better 
to give a classical algebraic specification first that includes the major invariants of the 
system and then using constants and function identifiers (attributes) of the sorts 
introduced in this specification to describe the state space. 
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n s. h s t o v Is AP g n t s th lg A S ^{AP). 

ust s th synt t lg A] ” ( AP ) s p t z y th to p opo 
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not so s 


ply 


fin . 




w 11 thus n 




th s op 


t ons 


n 


Aserr, 

ctl 


1 n 




fin th 


n v 


u lly. 


h 


op t on n 


s 


{true, false, not , 


and, or, 


ax , ex, 


au. 


, eu) n Open 


nst nt 


t 


n A%r y 


th 



sp tv op t ons {5, 0,C,n, U, NextaU, Next SO me,lfPall,lfPsome} wh 

— S s th onst nt s t o 11 st t s n M n 0 s th onst nt pty s t. 

— C s th un y op to th t p o u s th o pi nt n S o ts gu nt. 

— l~l n U th n y s t un on n nt s t on op to s. 

— o a £ Sm th un y op to s Next a ii{a) n Next some (a) fin y 

th qu It s Nextaiiipt) {s € S'|successors(s) C a} n Next some {a) 

{s £ S\successors(s ) fl a / 0} sp t v ly wh successors(s) not s 
th su sso s o th st t s n th o 1 M. 

— If Pali n IfPsome nsp y th Y op to o fix po nt onst u t on 

. o a, (3 £ 2 s lfpaii(a,P) o put s th 1 st fix po nt o th qu ton 
Z (3 U (a fl {s £ S\successors{s) C (a n Z)j) n //p some (a, /3) o puts 
th 1 st fix po nt o th qu t on Z [3 U (a fl {s £ S| (successors(s) fl 
aflZ) / 0}) 3 . 

ltliough th lg Alt™ x sts t s not us tly n th o 1 h k ng 

p o ss. t s only us to xpl n L s n E ct i 1 ngu g . 

A Model as an Language s th t g t 1 ngu g o ou lg o 1 

h k w v lop S 1 ngu g s on s ts wh h sp t z y 
sp h o 1. o o 1M L m (Am™, A s ^,Cm) us ng op to sh 
S M (Sm,Opm,vm) wh S ct i {Set, Node, Boole} Op ct i {0,U, l~l, \ 
succ, C, , £,“{ }” } n <jm s fin low 




r n 


y 










cm(0) 


0- 


-> Set 


UM (C) 


Set x Set - 


-> Boole 


<7m(S) 


0- 


-> Set 


<7m( ) 


Set x Set - 


Boole 


(7m (U) 


Set x Set - 


-> Set 


(7 m(G) 


Set x Node - 


Boole 



<r M (n) Set x Set —> Set <jm{succ) Node— > Set 

ctm(\) Set x Set —> Set cxm({ }) Node Set 

h op to s h ostly si s pt v . 0 n S g n t sp t v ly 

th pty s t n th ull s t o st t s S. h n y op to s U fl n \ 
sp t v ly s t un on nt s t on n ft n . Iso h v th su s t 
(C) s t qu 1 ty ( ) n sh p op t ons (g) n th su sso un t on 

succ n s ngl ton s t t on un t on not y { } . h s op to s u 1 s t 
xp ss ons n th synt x lg A s ^ n n s ts n th s nt lg A|f m . 



3.2 Algebraic Compilers 

n algebraic compiler 9 10 C Ls — * Lt wh h ps th 1 ngu g L$ (A S g n , 
A s s em ,Cs) nto th 1 ngu g L T (A^ n , A s T em , Lt) s p o (g n lz ) 
ho o o phs s ( H syn A S g n — > A 8 r^ n ,H sem A s s em —> fin su h th t 

th g n gu 2 o ut s. n g n 1 th op to s h so th 



Ls 



\Hs, 



A s 7 



Lt 



tsyn 

■M s 



H s 



A svn 



Ls 



A 



sem 

S 



H SI 



£t 



A S r, 



Fig. 2. n lg o p 1 . 



lg s n th s two 1 ngu g s y not s 1 s s th s w th th 
op to s h s £ c ti n Em o th 1 ngu g s L ct i n Lm w nt n to us 

n ou o 1 h k . hus ho o o phs wh h sso t s s ngl t g t 

lg op t on w th h sou lg op t on s not poss 1 . nst 
o h sou lg op t on w ust u 1 n pp op t op t on o 
sv ltgtlg op t ons. u h op t ons 11 derived operations. 

v op t ons w tt n us ng wo s o th t g t wo lg us ng 
s t o meta variables. w 11 us su s pt vs ons o th so t n s o 
th sou 1 ngu g op to s h s tv ls. h wo “S \ Fi” s 
wo nth lg A^j' ( { F \ }) wh h p s nts th un y v op t on o 
t k ng th o pi nt o s t w th sp t to th ull s t o st t s S', h t 
v 1 F\ s th “ o 1 p t '' o th v op t on. w 11 sso t 
th s v op t on w th th L op t on not s n g v n th s t sh 1 ty 

s t o o ul / t w 11 g n t th s t sh 1 ty s t o th o ul not f. 
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o fin g n 1 z ho o ophs Ho lg Ae s w th op to 
sh Es (Ss, Ops, crs) to lg Ae t wthth poss ly ss 1 op to 

s h Et ( St,Opt,<Jt ) w ust fin two pp ngs 

1. sort map sm Ss — > St wh h ps sou lg so ts to t g t lg 
so ts. n g n 1 z ho o ophs nojtosotso Es w 11 

pp to no j t o so t sto(s) o Et- 

2. operator map om Ops — > We t (Ss) h P s °P to s n th sou 

lg to v op t ons w tt n s wo s n th t g t synt x lg 

w th tv 1 s 5 S th sou so ts w th su s pts. 

h v op t ons wh h t k op ns o th t g t lg li v th 

s s gn tu s s th ount p ts n th sou lg n thus w pi 

tly t n nt t hy lg wh h h s th s op to 

s li Es s th sou lg ut wlios s ts popul t y v lu s 

o th t g t lg n wlios op t ons th v op t ons fin 
y th op to p om. h g n lz ho o o ph s H Ae s — > Ae t s 

thus th o pos t on o n embedding ho o o ph s o Ae s to th nt 

t lg AW g (em Ae s ~~ > Af?) w th n nt ty injection mapping o 
th nt t lg to Ae t (im AfF — > Ae t ) 9 1 . h pp ng im s 

n nt ty pp ng th t ps 1 nts n so t s, s £ Ss n A^f to th s 

v lu n so t sm(s) £ St n Ae t - hus H im o em. n oth th synt x 

n s nt g n 1 z ho o o ph s s o gu 2 pi nt n th s 

nn th nt t lg so n nt t E 1 ngu g n thus 

th g o gu 2 o s th o ut t v g n gu 3. 




Fig. 3. n lg o p 1 w th th nt t 1 ngu g spl y 



v n pp ng g wh li ps g n to s o th sou lg nto th 
t g t lg g {g s s — > sm(s)} s gs 3 g n un qu ly xt n to ho o 
o ph s H — > Ae t 9 . h lgo th o pi nt ng g n lz 

ho o o ph s o E s lg g n t y G {g s } s£ S s s 




1 



r 



n y 



if (a) if a € g s o so s £ S5 then j s (a) 

else if a f(ai, a 2 , . . . , a n ) o so f £ Ops 
then om(f)(h(a 1 ),h(a 2 ), ■ ■■, h(a n )). 

h s s 11 1 y x nng t n th ont xt o 011 o 1 h k s 

n lg o p 1 . o st t s th so t p sm s ply ps th so t F n 

S ct i to th so t Set n Em- h g n to s G th s t o to p opos t ons 

Gf AP n gp s th un t on P wh h ps to p opos t ons to th 
s t sh 1 ty s ts. h t s 1 t th n s to fin th op to p om wh h 
ps L op to s n Opcti to v op t ons ov s t sfi 1 ty s ts. 
s w ov how th wo 11 S \ F\ ” oul us to fin th v op t on 

o th L op t on not F\ — * F 0 . h us o th n x so t n F (Ej) s 
th tv 1 s to show th o spon n tw nth p t s o th 

sou n v op t ons. h su s pts us to st ngu sh tw n 

ult pi p t s o th s so t ff nt so ts w 11 h v ff nt n s. 
ons now th L op t on ax. nnot w t o t v op 

t on us ng only th op to s o th t g t 1 ngu g . n t on 1 

onst u ts w th wh h to o pos v op t on. t s t th s po nt th t w 

n g n to sp k o meta languages us n th sp fi t on o lg o 

pi s nst o just meta variables, y nt o u ng so un t on 11 ngu g 
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w 11 0 


put th s 


i t sfi 
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s t 0 th 
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ax f 
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xt 
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S thos 
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y th 


on t on 
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t 11 0 th su 


SSO i 
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t s y /. 
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0 xt 


n ng 


th t 


g t lg 




w th th 


s op 


t ons 


w 


show n 



th ollow ng s t on how t 1 ngu g ont n ng th s onst u ts n 
us n onjun t on w th th t g t 1 ngu g to w t th pp op t v 
op t ons. h v nt g o k p ng th t 1 ngu gsp t othtgt 

1 ngu g s th t w n popul t n lg 1 ngu g p o ss ng nv on nt 

w th s v 1 us 1 t 1 ngu g s wh h 1 ngu g s gn y us to u 1 
t nsl to s. 

3.3 Evaluation of Derived Operations 

v op t ons sp fi y wo s o th t g t 1 ngu g synt x lg 

Aff! n (S s ) ov su s pt s t o tv 1 s o th sou s gn tu 

s t o so ts Ss- n gu 3 th s wo s o A^ n (S s ) us to fin th 
op t ons o th synt x lg n th s nt s lg A s g ™ . hus w 

oul ul g n 1 z ho o ophs h A S g n — > A s g™ wh h ps wo s 
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n A S g n tly to v lu s n App. hus h s th o pos t on o th 
ng o ph s em S y n A S g n — > Agp n th Lst v lu t on un t on £$t ■ ■ 

h em syn o£sT ■ nth s o ou o 1 h k su h ho o o ph s woul 

p L o ul s tly to th s t sh 1 ty s ts n th nt t s n 

t lg .o n y sons th s y s 1 n sotnthwyw 

w 11 tu lly pi nt o 1 h k s s lg o p 1 s. 

4 Meta Languages in Algebraic Compilers 

t 1 ngu g Lml us n n lg o pi s ss nt lly p 

t z S 1 ngu g . Lk 11 S 1 ngu g s t li s n op to sh Sml 
{Sml, Op M L, oml) wh S M l n Op M L s t o so ts n op to n s 

s s n ov . h s gn tu so th s op to n s how v y n lu 
p t s s w 11 s so ts o Sml- h t s oml Opml — »■ PS ML x PSml 
wh PSml wh PSml Sml U Par am- Par am s stop t 

n s. h t 1 ngu g h s t on 1 onst u ts th t w w 11 us to w t 
th v op t ons o th lg o p 1 . n th un t on 1 nst n o 

th o 1 h k th s t 1 ngu g op t ons w 11 n lu th “hit ” n 

A xp ss on op to s w s w ov n th “ p tv” nst n th t 
1 ngu g onst u ts w 11 n lu if n while st t nts ss gn nt st t nts 

n for each loop op t on. h s t op t ons no n t on w th th 

t g t 1 ngu g op t ons o s t nt s t on un on sh p t . us 

to w t th v op t ons sp y ng th o 1 li k . 

o w t v op t ons us ng t ( Lml ) n t g t (Lt) 1 ngu g 
op t ons n instantiation o th t 1 ngu g s t ( y th 1 ngu g 
p o ss ng nv on nt) o th s two 1 ngu g s. h s 1 ngu g s not 
Lmlt {A s ™ t , AZ n L T , C ML t) w th op to sh S ml t. o nst nt t 
t 1 ngu g th ollow ng t sks ust p o 

1. nst nt t th op to sh S M l t - S ml t (Sml t ,Op M L T , &ml t ) 

wh th s t o so ts S ml t s th un on o th t n t g t so ts 

Sml U St th op to n s Opml t th un on o t n t g t 

op to n s Op ml U Opr n s gn tu s n <Jml t t y 

pi ng p t s n a m l s gn tu s w th so tn s n St n ng th 
t g 1 1 ngu g s s gn tu s n <jt- n ou o 1 h k th t g 1 1 ngu g 

so ts Node n Set pi th p t s n th t 1 ngu g s gn tu s. 

2. nst nt t th synt x lg A . ust nst nt t th op tons 

o th synt x lg ut th s n uto t lly onst u t us ng 

p fix o t o th s “wo onst u t ng” op t ons. 

3. nst nt t th s nt lg ust bo ns ^ t th op 

t ons o th s lg . th th y xpl tly onst u t o th n w 
typ s k n o ho poly o ph s op ly th x st ng tin 

gu g op t ons generic (poly o ph o polytyp ) 2 n n thus 

uto t lly wo k on th t typ s o th t g t lg 

v op t ons o th g n 1 z ho o o ph s now w tt n n 

AZl t ( S s) th nst nt t t 1 ngu g wo lg w th tv Is 




1 



r 



n y 



S s nst o th synt x lg Ag!P(S s ) o th nt t hy 1 ngu g 

L st s on o . hus th op to p om us n fin ng th g n 1 z 

ho o ophs h s th s gn tu om Ops — > h so t p sm s 

th s s o so th t t g t g s o sou 1 ngu g onst u ts st 11 

o j ts o so ts n th t g t 1 ngu g not th t 1 ngu g . 

h n u 1 ng su h n lg o p 1 th hy nt t 1 ngu g 

L st o gu 3 s pi y th hy nt t 1 ngu g L sml t 

(A S sml t ’A S smlT’£sml t ) s shown n gu 4. Lk L ST th s 1 ngu g hs 
th s op to s h Ss s th sou 1 ngu g ut h sop t ons u It 

us ng th op t ons o L ml t . h ng o phs s em syn n em sem 

n gu 4 o put n th s nn s thos n gu 3. Iso 

n xt p o nt ty nj t on pp ngs tw n Lsml t n L ml t . 




ust s th nt t hy 1 ngu g Lst n gu 3 s uto t lly 

t so t L S ml t (■A S sml Tij/ ^sml t '’ Csml t )- ow v w o n to 
xpl tly t th t 1 ngu g L ml t . ut th s k ss ns wh s o 
w sp fi th sou n t g 1 1 ngu g o th lg o p 1 n w ot 

v op t ons n th t g t synt x lg w th tv 1 s w ust now 
sp y th t 1 ngu g w w sh to us s w 11. h v op t ons 
th n w tt n n th nst nt t t 1 ngu g synt x lg n pp op t 

s t o lg 1 ngu g p o ss ng tools n uto t lly nst nt t th t 
1 ngu g p ov th x st ng t 1 ngu g op t ons g n ut w 
ust t 1 st sp y wh h t 1 ngu g s to o pos w th th s 1 t 
t g t 1 ngu g n o to w t v op t ons n g n t th lg 

o p 1 o th s sp fi t ons. 
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4.1 A Functional Meta Language 

s llu to ov w n us un t on 1 t 1 ngu g nsp y ng ou 1 
g o 1 h k MC L ct i — » Lm • h s Hows us w t v op t ons 

o th t po 1 log op to s ax, ex, au n eu us ng un t on 11 ngu g on 
st u ts n thus p ov on s sp fi t ons o ou o 1 h k . lthough 

ull un t on 1 t 1 ngu g woul h v ny h gh o un t ons 1 k map 

n fold w only s h th op t ons wh h us n ou lg 
sp fi t on. o how v us A xp ss ons n h gh o un t ons filter 
limit n iterate wh h fin low. 

Ou un t on 1 t 1 ngu g L FM ( Aj ?m A s F m Cfm) h s op to 
sh Sfm ( Sfm {B ool e, V ar, Func{-^), List { )}, Opfm {not and 



filter A limit iter ate}, a pm) 


wh a pm s fin 


low 






o F M {not) 


Boole 


-> Boole 






ofm {and) 


Boole x Boole - 


-> Boole 






a FM {filter) 


{a — > Boole) x b - 


-> b 






&fm{ A) 


V arb x a 


-> {b —y a) 






op m {limit) 


a 


■* a 






opM{iterate) 


{a — > a) x a 


-> a 






h Boole so t s o ool n v 


Is Var o v 


1 s us 


n A 


xp ss ons 


Func o un t ons tw n two typ s not a — > 


bo sp 


t V 


sou n 


t g t typ s a n b n List 


not a o 1 sts o 


1 nts o typ 


a. filter s 


g n op t on wh h ppl 


s ool n un t on to h 1 


nt (p t 



a) o ont n typ (p t b) n onst u ts th ont n typ w th only 

thos o g n 1 1 nts wh h v lu t to true un th ool n un t on. A s 
th op t on o t ng un t ons o A xp ss ons. h p tan th s 
s gn tu p s nts n xp ss on o typ a w th v 1 o typ b wh h 

wh no n w th v 1 o typ b {V arb) g n t s un t on o typ 

b — > a. limit s un t on wh h 1 z ly v lu t s 1 st o 1 nts tu n ng th 

fi st 1 nt n th 1 st wh h s ollow y 1 nt o th s v lu (1 t 

1,2, 3, 3,... v lu t s to 3). iterate s Iso 1 zy n p t ly ppl s un y 

un t on h st us ng gvn nt 1 v lu n th n to th v lu tu n o th 

p v ous ppl t on h t s iterate f x x cons ( iterate f {f x)) { o x pi 
iterate inc 3 3,4, , ,...). 

n nst nt t th s t 1 ngu g w th th oil ngu g Lm y w t 
ng n w op to s gn tu s y pi ng th p t s a n b n <jfm w th 
so t n s Set n Node o th op to s h Em o Lm- n th f ilter 

op t on s g n 2 w o not n to xpl tly pi nt v s ons o th s 

un t on o s ts. 

4.2 An Imperative Meta Language 

ns 1 ly s gn n p tv t 1 ngu g L IM ( A s j e ff Affff 
Cim) th th sop to s h Ejm {Sim-,Opim,^im)- h so t s t ont ns 
sots Sim {Expr, Stmt, StmtList,Var, Boole} o xp ss ons st t nts 




10 r n y 

st t nt 1 sts t . s 1 n p t v 1 ngu g s. s t o op to s 

OpiM wo ill thus n lu th s t {*/, while, assign, block, for each, not, and , ...}. 
h s op to ’s s gn tu s n oth s s fin y him shown low 



er i M (not) 


Boole 


—i Boole 


aiM (and) 


Boole x Boole 


— > Boole 


1 TiM(foreach ) 


Var x Expr x Stmt — > Stmt 




Boole x Stmt 


—i Stmt 


(Tim (while) 


Boole x Stmt 


—i Stmt 


Tim (as sign) 


Var x Expr 


— > Stmt 


(Tim (block) 


StmtList 


—i Stmt 


o-i M (listi) 


Stmt 


StmtList 


er i m (listf) 


StmtList x Stmt - 


->■ StmtList 


cri M (expri) 


Expr 


-i a 


(Ti M (expr 2 ) 


Expr 


-> Boole 


(tim (valof) 


Stmt 


Expr 



h 1 p t v 1 ngu g op t ons p s nt h .0 nt st s th 

g n for each op t on wh h w 11 t t th ough 11 1 nts o ont n 

typ n p o so st t nt o hi nt n th valof op t on 
wh h s st t nts n xp ss ons us ng th v lu o th 1 st ss gn nt. 

5 Model Checker Specification 

n th s s t on w n show th sp fi t ons o th lg o 1 h k 

us ng th un t on 1 n p tv t 1 ngu g s. w 11 w t th t nsl t on 

sp fi t ons o h L op t on op € Op c ti y w t ng th s gn tu o th 

op ton c T c ti(op) ollow y ts v op ton nth t g t om(op) ut 

w w 11 op th om o onv n n . h op t on’s s gn tu s w tt n 

w th th output so t o h op t on to th 1 t n th op t on n spl t 
tw n th nput so ts n not t on. ( n t so lg tools 1 k 

11 us th s sp fi t on to g n t p s o th sou 1 ngu g .) 

h tv 1 s us n th v op t ons n x sou 1 ngu g 
so ts oun n th sou op t on s gn tu . n th v op t ons t 

v Ion nput so t p s nts th t g t g o th o spoil ng sou 

1 ngu g o pon nt. h s sp fit ons p o ss y n lg 1 ngu g 

p o ss ng nv on nt to uto t lly g n t th o 1 h k 12 13 . 

5.1 Functional Meta Language Specification 

h un t on 1 v s on o th lg o 1 h k ps L o ul s n 

A^(AP) to th s tsfi 1 ty s ts. o th non t po 1 op to s n L ct i w 

h v st ght o w v op t ons shown low 




L ngu g s n lg r omp 1 rs 



1 1 



Fq true Fq false Fq not F\ Fq Fi and F 2 
S 0 S\Fi F 1 HF 2 

h op t on true h s th v op t on S (shown tly low t) n 
t ng th t th s t sfi 1 ty s t o true s th nil s t o st t s S n th o 1 M 

false h s v op t on 0 n t ng th t th s t sh 1 ty s t o false s th 

pty s t. h v op t on sso t w th not shows th t th s t sh 1 
ty o not f s th s t ff n o S n th s t sh 1 ty s t o / not y 

th so t n F\. 1 ly and s hn y th nt s t on o th s t sh 1 ty 

s ts o th two su o ul s sp t v ly not Fi n F 2 . 

n th v op t on o ax s n low w s th us o so t 

1 ngu g onst 11 ts. w hn th s t sh 1 ty s t o ax f y hit ng th 

s t o st t s y un t on wh h s 1 ts only thos no s su h th t 11 o th 
su sso s n th s t sh 1 ty s t o /. 

Fo ax F\ hit (A n . succ(n) C F\ ) S 

h v op t on o om s s 1 ut us s th limit n iterate op t ons 

to pi nt typ o 1 st hx po nt op to o th un t on sp h y th 
A xp ss on. 

Fq a Fi u F 2 

1 t ( t t (A z . z U ( hit (An. (swccs(n) C z)) Fi )) F 2 ) 

h to p opos t ons sp h s v Is AP n A s £ff(AP) pp to 

th s t sh 1 ty s t y P th oil 1 ng un t on. 

Fo P P(p) 



5.2 Imperative Meta Language Specification 



n th non t po 1 L op to s o not us ny t 
n th v op t ons th y th s li s n th 

t on. lius w show only th t po 1 op to s ax n au. 

tv Is tempi n th s v op t ons wh li 
t po y v Iso li us o v op t on. 



1 ngu g onst u ts 
un t on 1 sp fi 
us n t on 1 
pi y n w 



Fo ax F\ 
v lo { 

temp 0 
o li n n S 

( succ(n) C (Fi) th n 
temp temp U { n } 
Fq temp } 



Fo a Fi u F 2 
v lo { 

tempi 0 temp 2 F 2 
wh 1 ( not tempi temp 2 ) { 
t pi temp 2 
o h n n Fi o 

(succ(n) C tempi ) th n 
temp 2 temp 2 U {n} } 
■Fo t pi } 



h s v op t ons th p t v v s ons o th un t on 1 v 
op t ons gvn ov n t on .1. th while n for each op to s 

us to pi nt 1 st fix po nt op t on to o put s t sfi 1 ty s ts. 
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6 Comments and Future Work 

h t 1 ngu g s s h just th qu su s ts o g n 1 pu 

pos t 1 ngu g s wh h woul popul t n lg 1 ngu g p o ss ng 

nv on nt. M t 1 ngu g s shoul us 1 o pon nts n su h n nv 

on nt so th t lg o p 1 s gn s n hoos o oil t on o 

x st ng t 1 ngu g s n wh h to w t th t nsl to sp fi t ons. w 11 

sto k nv on nt woul h v un t on 1 n p tv styl t 1 ngu g s 
g v ng th 1 ngu g s gn so ho s on p son 1 p n o 1 n 

gu g styl . 

Mo po t ntly how v w woul Iso xp t th s nv on nt to on 

t n domain specific meta languages 1 w th sp 1 z onst u ts to ss 
ssu s oun n sp fi o ns o only n ount n 1 ngu g p o ss ng 
s w 11 s oth o ns su h st po 1 log o 1 h k ng wh h Iso h v 

solut ons s lg o p 1 s. t on 1 1 ngu g p o ss ng t sks w th sp 

fi o ns n lu typ h k ng opt z t on n p 11 1 z t on n o 

g n t on. n typ h k ox pi th t g t lg s woul h v op 

to s o th s typ s n typ onst u to s n s ts ont n ng typ s 

o typ xp ss ons. o n sp fi t 1 ngu g o typ h k ng wh h 

h s sp fi onst u ts o n g ng sy ol t 1 s n nv on nts woul 

h lp ul to th pi nto n us 1 n ft nt o p 1 s. n th s o 

th o 1 h k o n sp fi t 1 ngu g woul n lu 1 st fix 
po nt op to s n th so n woul k goo us o su h onst u t. 

op n th s p p w th nt on o tt ut g s n o nt 

h on t 1 ngu g s w th n tt ut g s s n th y t k si ghtly 

ft nt o th n n lg o p 1 s. lg o p 1 s ly on n x 

pi t fin t on o th t g t 1 ngu g n us t g t 1 ngu g op t ons o 

w t ng v op t ons. h s op t ons thus p ov st t ng po nt o 
ng t 1 ngu g tu s. tt ut g s to th t nt k no 

xpl t nt on o th t g t 1 ngu g n thus o not hv stot gtln 
gu g op t ons to p ov s st t ng po nt o w t ng s nt un t ons o 

fin ng tt ut v lu s. nst th yp ov s ngl g n 1 pu pos 1 ngu g 

o w t ng s nt un t ons. h s 1 ngu g o sn’t sufF th xp ss v n ss 

p o 1 s w s w ov ut t os lo k th us nto s ngl “ t 1 ngu g ” 

o fin ng tt ut v lu s. h v thus gu 1 th t ho o o n 

sp fi t 1 ngu g s n tt ut g s s Iso s 1 o ny o th 

s sons s th y n fi 1 n lg o p 1 s. 

pu su ng th s wo k n n ffo t to fin pp op t t 1 ngu g s o 
fin ng 1 ngu g onst u ts o th nt nt on 1 og ng ( ) 1 syst 

un v lop nt t M oso t. s n xt ns 1 p og ng nv on nt 
wh h llows p og s to fin th own 1 ngu g onst u ts 11 inten- 
tions n th to th p og ng nv on nt. nt st n 

xplo ng ff nt t 1 ngu g s n th o s ns o th t o fin ng 

su h nt nt ons. n th s o ns o typ h k ng opt z t on o 
g n t on t . n ount n o n sp fi t 1 ngu g s w 11 
us ul n th s syst s w 11. li y sp lly po t nt li s n pp op 




L ngu g s n lg r 



omp 1 rs 



1 



to n sp fi t 1 ngu g s s th 1 v 1 o st ton n wh h th 

nt nt on s gn wo ks n w 11 thus k s gn ng nt nt ons o son 
1 p o ss th t xp n p og s oul p o to t th own 

1 ngu g xt ns ons. o xp nt w th ff nt t 1 ngu g s w u 

ntly v lop ng s t o 1 ghtw ght p ototyp tools us ng lg o p 1 s 

n tt ut g s wh h us o n sp fi t 1 ngu g s. 

Ou ho o o 1 li k ng s n x pi sn’t s sot s t y p 

p . Mo 1 h k ng h s n us to p o t flow n lys s on p og 
ont ol n t flow g phs 1 n to fin opt z t on n p 11 1 z t on 

oppo tun t s n p og p n n yg phs 14 . n oth s s t po 1 log 

ts s sp fi t on 1 ngu go t n p tt ns n g ph p s nt t on o 

th p og wh h oun y o 1 li k . hus t po 1 log o s h v 
ppl t ons s o n sp fi t 1 ngu g n lg o p 1 s tt ut 

g s n 
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1 Introduction 

n 6 w h v propo to mo 1 tr t t t p i lg r th t i 

( lg r o lg r ) p ir with ommon rri r. n thi ppro h progr m 
on n n n m pping to noth r n u h 

m pping 11 metamorphism i nti 11 giv n ompo ing th lg r o 
with th o lg r o . hi off r mu h r om in p i ing n 

m pping tw n th m. t 1 o provi n w progr mining t 1 n our ging 

th ompo ition 1 u o h propo ppro lr nti 11 u xi ting 

on pt u h lg r n o lg r on high r 1 v 1 o tr tion n 

thi i th r on th t 11 th 1 w v lop or lg r i t t p n till 

u or progr m tr n orm tion n optimiz tion in thi xt n r m work, 
ut in ition to thi th “progr mining ompo ition” t 1 off r 

om n w optimiz tion opportuniti or x mpl in int rm i t r 

intrin i 11 u in ingl thr w ompil r n utom ti 11 in rt 

i nt up t in pi impl m nt tion or th m 

( w 11 lg r i t t p ) r r tri t in th n th t th 

ompo ition (or r) nnot ontroll rom th out i . n oth r wor 

th ompo ition o v lu i ompl t 1 t rmin th m lv in 

v n . hi m k th tr tm nt o om t t p u h rr or gr ph 

i ult. n th t t p th ompo ition i o t n ontroll xpli itl 

giv n in i (r p tiv 1 no ) t lling whi h p rt o th v lu r to 

pro n xt. 11 t t p th t off r u h n in x random 

access data types or impl indexed data types, n x h vior n in 
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M tin wig 



prin ipl r liz in th ppro h ppropri t 1 ning n w om 

poun th t ont in th v lu ( rr gr ph) to in x w 11 

th in x v lu . ow v r thi r ult in r th r ompl x nition th t r 
i lilt to ompr li n . 

iff r nt olution i propo in thi p p r r t w g n r liz th ni 
tion o to ( indexed data type). nti 11 thi m n to xt n th 

rgum nt t p o th tru tor o th t it h xpli it to in x v lu . 

hi 1 to nition o n trialgebra. on th nition o 

m t morplii mi g n r liz to t k into ount th u n n mi g n r 

tion o in x v lu . hi g n r liz tion om in two fl vor r t or t 

t p lik rr h ving to 1 with onl on in x v In t tim impl 
on tru tion 11 exomorphism u . ow v r in th mor g n r 1 
or x mpl wh n ling with gr ph oil tion o in x v lu mu t h n 

1 n thi r quir mu h mor involv nition in whi h two t t p 

th prim r on n n uxili r on or toring in x v lu r pro 

imult n ou 1 . hi g n r 1 m pping i 11 synchromorphism. 

h p p r i tru tur ollow t r ri ing r 1 t work in th n xt 

tion w ri fl r vi w th g n r 1 t gori 1 ppro h to t t p in 
tion 3 ollow n intro u tion to our i lg r ppro h to tr t t 

t p in tion 4. h g n r liz tion to in x t t p i th n ri in 
tion . impl w to m p tw n with i hown in tion 6 n 

th v lopm nt o mor pow r ul kin o morphi m i pr nt in tion 

on lu ion in tion ompl t th p p r. 



2 Related Work 

h o 11 ir / M rt n orm li m 1 16 i on rn with th riv tion 

0 progr m rom p i tion . nti 1 in th t ppro h i th u o w 

pow r ul op r tor lik catamorphisms ( 1 o 11 fold or reduce ) in t o 

g n r 1 r ur ion. h ir work i origin 11 on li t onl ut it h n 

xt n to r itr r in u tiv 1 n ttp 111 19 9 ttp 

1 giv n morphi m whi li i x point o un tor ning th ign tur 

o th t t p . in x point r initi 1 o j t homomorphi m to oth r 

ttp r uniqu 1 n n thi m k it po i 1 to p i progr m 

on ttp impl 1 ting n ppropri t t rg t ttp. 

ork on progr m optimiz tion li pro t lot rom th t gori 1 p 
pro h wh n progr m r xpr t morphi m (or v n tt r h 

lomorphi m ) pow r ul u ion 1 w n u to limin t int rm i t t 

tru tur 13 19 20 . 

h t gori 1 r m work li n lmo t lw ppli to lg r i t 

t p th t i ttp th t r ju t giv n r t rm tru tur . li onl 

g n r 1 ppro li or xpr ing t morphi m ov r non r t t p w know 
o i th work o okking 11 10 . hi i to r pr nt t rm om in tor 

11 transformers n to r pr nt n qu tion p ir o tr n orm r . v 
r 1 prop rti o tr n orm r r inv tig t n it i hown how tr n orm 




n o 



to 



t t t yp 



1 7 



r n orn in to i 1 n w tr n orm r thu r ulting in v ri 1 r 
1 ngu g or xpr ing qu tion h u o tr n orm r i mon tr t in 

howing th quiv In o two iff r nt t k impl m nt tion . lthough thi 

work or u lg r th t ti rt in 1 w on nnot m p into lg r 

with 1 tru tur 10 11 14 . hi inno nt looking r tri tion m n r th r 

v r limit tion o xpr iv n or in t n progr m or ounting th 1 
m nt o t cannot xpr t morplri m. hi r tri tion w 

li t th propo 1 w m in 6 . 

om work lr n on or p i tr t t t p . nt r tingl th 

r lw in x t t p in our n hu ng pr nt in 3 tlrr iff r nt 
vi w o rr n n or h vi w orr pon ing ol op r tion . lr 
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gr plr t morplri m om i 1 n om un tion on gr plr u lr 

r v r ing th g o gr plr n xpr gr plr t morplri m . ow 

v r th wlrol ppro hi v r limit in it ppli onl to li gr ph 

lr ving no g 1 1 . lr v pr nt mor g n r 1 vi w o gr ph in . n 

th t p p r n import nt p t w th nition o oupl o ol op r tion 

th t n u to xpr op r tion u h gr ph r v r 1 pth r t r lr 

v lu tion o xpr ion or omputing 11 impl p th in gr ph . wo 

th or m or progr m u ion w r pr nt th t llow th r mov 1 o int rm i 

t r lr tr w 11 int rm i t gr ph tru tur . n xpr gr ph 

lgoritlrm n hromorphi m in lu ing pth r t n r th r t r lr 

n v n ijk tr hort t p th lgoritlrm. lr vi w on gr ph lgoritlrm th t 

1 provi n hromorphi m i imil r in pirit to th x to gr ph 

xplor tion op r tor th t w r i nti in 4 . 

3 Categorical Data Types 

n thi tion w giv v r ri r vi w o th t gori 1 r nr work or mo 

ling t t p . Mor t il intro u tion n oun or x mpl in 

2 10 1 20 . x mpl ollow in 1 t r tion . 

Our ult t gor C i CPO who o j t r ompl t p rti 11 or 

r t with 1 t 1 m nt i n who morplri m r ontinuou un tion . 

orking in CPO gu r nt th xi t n o 1 t x point or r ur iv qu 
tion u lr or lr lomorphi m n tho o tion 6 n .1. on i r 
pol nomi 1 n o un tor on C wlri lr r uilt th our i un tor identity 

( n ) constant (_ n _ i a) product ( x 

{( , ) j £ , £ }) n separated sum ( + {1} x U {2} x U{_L}). 

h nition o x n + on un tion i giv n low with v r 1 ition 1 
op r tion 




1 M tin wig 



( 


+)(!,) 


(1, ) 


( x ) ( , ) 


( , 


) 


( 


+ ) (2, ) 


(2, ) 


( , ) 


( , 


) 




( + ) -L 


_L 


i ( , ) 








, (1, ) 




2(>) 








, (2, ) 




r 


(1. ) 






, J- 


X 


2 


(2, ) 





or no j t w not it on t nt un tion _ th t i _ . ( ot 1 o 

th t un tion ppli tion in trong t n x in trong r th n + whi h 
in turn in trong r th n ompo ition “o”.) 

p r t urn n pro u t r i un tor th t m p rom th pro u t t 
gor C x C to C. ixing on p r m t r o i un tor i 1 mono un tor th 
(1 t) section o i un tor n n o j t A i n a(B) (A,B). 

hu or x mpl x a i mono un tor whi lr t k no j t B n m p it 
to th pro u t A x B. 

will 1 t r n th ollowing un tor 







O a 


1 +. 





La 


1 + 


_ X 
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_ X 




Q 


1 + 


X 
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u 11 


not (1, ) 
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(2, ) 


l n r 
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w 11 
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vi tion 


u lr 


LR 


or l (r ). 
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C C. lr n 
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algebra i 


morphi m 


a 


(A)- 


> A. 0 


j t A i 


11 


th 


carrier 0 th 


lg 


r . 


n xtr t th 


rri r o 


n lg 


r with 



th org t ul un tor th t i (a) A. u 11 n coalgebra i morphi m 

A —> (A), n homomorphism rom lg r a (A) — > A to lg r 

( B ) — ■> B i morphi m A — > B in C th t ti o a o ( ). 
h t gor o lg r Alg( ) lr o j t lg r n rrow 

homomorplri m . i pol nomi 1 un tor on CPO Alg( ) lr n initi 1 

o j t whi lr i not inF- hi m n th t inF ( ) — ■> i n 

lg r with rri r {iuf)- or x mpl th lg r i t t p o on 

li t with on tru tor Nil, Cons Lu st a —■ ► list i nothing ut th initi 1 

lg r inL A ■ u 11 CoAlg( ) lr t rmin 1 o j t not out.F n 

out f ( ) i n o lg r with th m rri r inF inF n 

out.F r lr oth r inv r n th n n i omorphi m ~ ( ) in 

CPO. 

niti 1 n t rmin 1 o j t r uniqu up to i omorphi m n th r 

lr r t riz lr ving x tl on morphi nr to r p tiv 1 rom 11 oth r 

o j t . hi m n th t or lr lg r a in Alg( ) th r i x tl on 
homomorplri m inF —> ol. in i uniqu 1 t rmin a it i on 
v ni ntl not ( a )p i 11 catamorphism 1 . u 11 or h 

o lg r in CoAlg( ) th r i x tl on homomorplri m — ■> out.F 

whi h i not [ ] p n whi lr i 11 n anamorphism. hylomor- 

phism i nti 11 th ompo ition o t morphi m with n n morphi m. 
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4 Abstract Data Types and Metamorphisms 

n n to p ir (a, a) wh r a i n lg r a. i n 

o lg r n (a) (a), u h n lg r / o lg r p ir with ommon 

rri r i 11 n , bialgebra 11 (wh r n , i lg r i p i 1 

o n , dialgebra th t i BiAlg( , ) DiAlg( , , , ) 10 . orking 

with i lg r i u i nt or our purpo n m k th p r tion o on 
tru tor n tru tor mor xpli it.) iv n n (a, a) w 11 a 

th constructor o n a th destructor o 

L t u on i r two x mpl ir t o 11 lg r i t t p n r 
g r t king th initi 1 lg r on tru tor n it inv r 

tru tor. or x mpl List (wil a , out.L A ) i i \La,La i lg r . 

n x mpl or non lg r i t p on i r n or t . o n 

t on th “ on ” vi w giv n La w t k in l a th on tru tor n 

th tru tor mu t n o th t v lu i r tri v rom t t mo t 

on . hi n r liz plitting off n r itr r 1 m nt (or x mpl 

th r t on ) n r moving 11 o urr n o thi 1 m nt in th r turn t. 

ith un tion filter th t t k pr i t n It u li t o 1 m nt 
or whi h i 1 tru w n r t n urth r un tion remove 

remove( , ) filter (/ ) 

r th p rti 1 ppli tion (/ ) not th un tion . / th t i th 

pr i t th t i 1 tru or 11 v lu th t r not qu 1 to . 

hu w n n th t tru tor n th t 

deset + ( i, remove) o oiUl a 
S et (in l a , deset) 

ot th t th nition work onl or t p A or whi h qu lit i n 
L t (a, a) n , i lg r 1 t ( , ) , i lg r n 

It ( , — ) n M, i lg r . 

iv n n tur 1 tr n orm tion — > M th metamorphism rom 

to i n th 1 t olution o th qu tion 
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m t morphi m rom lg r i t t p r u 



'W 



( )h 



( in H , out H ) 



(M t lg) 



L tu on i r w x mpl . M t morphi m or lg r i t t p tr n 

It ir tl rom th orr pon ing t morphi m . or in t n i w r pr nt 
th n tur 1 num r Nat Zero , Succ ini+j th 1 ngth o li t n 
omput th m t morphi m 

length List Nat 



in m t morphi m r on xpli itl n tru tor w n 1 o 

ount th num r o 1 m nt in t 



card Set Nat 



h ompo ition 0 two m t morphi 


m 


n It r 


th v lu 0 


“through” 


or putting th m 


into 


thu n th 


filter rom 


to 












/ g 




9 f 

^ O ^ 


( ilt r) 


r n 


r 11 th source 


n 


target 0 th It r n 


i 11 th 


filter data type. 


g in w omit n 


i 


th r ju t i ntiti . 




It r 


provi onv ni nt 


w 


or xpr ing rt in 


lgorithm or 


x mpl 












List-^Set-^List 




mov upli t 






List^ Heap~^> List 




p ort 




or lg r i 


t t p th r r 


V 


r 1 1 w or 


6 . On im 


port nt r ult i 


g n r liz tion 0 th 


u 


ion 1 w or lg r i t 


t p (r 11 



th t ( , )) 

Theorem 1 (ADT Fusion), o i => □ 

noth rvr gnrlrl tion hip n o t in riving th “ r th or m” 

21 or th t p o m t morphi m . 

Theorem 2 (FreeMeta). If is strict, then for any two , -bialgebras 
(a, a) and (a, 7) and two M, -bialgebras ( , — ) and ( , — ): 

o o ( ) A 7 o ( )oa o( ^ ) ( ) o □ 



hi g n r 1 1 w n in t nti t to m n iff r nt u ul progr m tr n or 
m tion rul ( ). 




n o 



to 



t t t yp 
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5 Indexed Data Types 

h n n i pro m t morphi m th ompo ition i orn 

pi t 1 ontroll th it 1 th t i th nition o th o lg r 

ompl t 1 t rmin th ompo ition or r. ( lr mi o our tru or 

lg r i t t p wh r t morphi m ju t ollow th t rm on tru tion.) 

or om ppli tion how v r it i v r u ul to h v xt rn 1 ontrol ov r 

th ompo ition o th involv . on i r th impl t k o 1 ting 

p i num r rom n int g r t . O our w n xpr thi 

t t morphi m th t It rom 11 1 m nt th t r not qu 1 to ut 

n v n impl r olution i in t o lin 1 ompo ing 11 num r rom 
to ir tl k or th p i ompo ition ( , ). h n th r ult i impl 

giv n 

hi x mpl r i v r 1 i u r t th tru tor o u h n i 

not n mor impl otp — > () ut r th r o t p ( ) — > () 

to ount or ition 1 rgum nt (“in i ”) or th ompo ition. will 
th r or xt n th nition o into n “ ” . on th r qu t 

ompo ition might not po i 1 t 11 or x mpl in th ov x mpl 

might not ont in in .hi ff t th nition o m pping rom u li 
whi h h to h n 1 u li . in 11 w n w to p i how 
in x v lu r g n r t uring (or into) th ompo ition pro . n 

th impl t th n xt in x n omput un tion p r m t r w 

will on i r thi in tion 6. h mor g n r 1 i tr t in tion 



t rt g n r lizing th nition o . n indexed data type (IDT) 

i p ir (a, a) wh rain lg r a i , i lg r n (a) 
(a). 11 n , , trialgebra, g in a i th constructor n a i th 

destructor o n x mpl on i r th ov t with r n om 

to it 1 m nt w h v a wiz, A n a extract with 
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i not ont in in th rr th unit v lu () 1 i r turn . hu dearr i 

x,L(xxA) i lg r n th n Array (in L(XxA) , dearr) i n 

L(xxA), x,L{xxA) tri lg r. 

r ph r noth r x mpl or . n th in u tiv vi w o ir t 

gr ph w h v propo in gr ph n on tru t two on tru tor 

empty whi h not th nipt gr ph without n no n embed whi h 
xt n gr ph node context th t i 1 1 no tog th r with it 

in oming n outgoing g . o t with pol norni 1 un tor w n un tor 
_( fc ) or noting li t o 1 ngth not gr t r th n 1 n ( fc +!) 

1 + W x . 

ow th t p o no ont xt or no t p n 1 It p hi giv n 

th ollowing i un tor 

Ctx( ,Y) (fc) x x y x w 

th t i our tupl on i ting o li t o no (pr or ) no 11 

n noth r li t o no ( u or ). li t p o gr ph o oun in n 

out gr o i th n n th ollowing t rn r un tor 

Gr( ,Y, ) 1 + (Ctx( ,Y) x ) 

h n th gr ph on tru tor i giv n Grx,Y lg r empty, embed . ( or 
pr i m nti o empty n embed .) 

h gr ph tru tor degraph nti 11 r tri v nr mov p i 
no ont xt rom th gr ph. hi m n giv n no n gr ph 

degraph( , ) r turn p ir ( , ) wli r ( , , , ) i th ont xt o n 

wh r i without n it in i nt g . i not ont in in degraph 
i 1 (). hu degraph x — > Grx,y( ) n w o t in gr ph 

th Gr x ,r, x , Gr x ,Y tri lg r 

Graph ( empty, embed , degraph) 

6 Exomorphisms 

h r ur ion in m t morplri m i r liz ppl ing ( ) to th r ult 

o a whi li work n u a h t p — > ( ). in th tru tor o n 

i , i lg r th t i 5 ( ) — > ( ) w cannot impl xpr 

th r ur ion ( )oa in a n thu too ppli to ( ) v lu n not 
impl v lu . h r or w li v to pr p r th r ur ion r t ppl ing 
un tion ( ) — > ( ( )) whi lr in t uppli in x v lu or 11 th 

r ur iv o urr n o v lu . 

L t (a, a) n , , tri lg r with (a) (a) n It 

( , — ) n M, i lg r . iv n two un tion 



( )^M( ) 



( )- ( ( )) 
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w n th exomorphism rom to th 1 t morphi m ti ing 

o o ( ) o o a 

f 

not -y .in i p r m t r o th xomorphi m it provi 

ontrol ov r th ompo ition rom th “out i ” . 

impl x mpl on i r tor o link li t impl m nt with rr 

h rr 11 on i t o p ir ( , ) r pr nting 11 wh r i n int g r 
pointing to th n xt 11. ith th un tion +( i,( 2° l, 2)) th t p ir 

th point r o th ompo rr 11 ( 2 0 1 ) with th r m ining rr ( 2 ) 

n p ir thi with th oun li t ntr ( 1 ) w n r tri v th li t tor in 

ginning t po ition i 

{Array List) {i, ) 

7 Synchromorphisms 

h v lr n th t th n xt in x v lu p n in g n r 1 on pr ing 

ompo ition . hi m n th t in x g n r tion lr pp n n mi 11 it mu t 
p r orm “on th fl ” uring th ompo ition o th lr n th 

qu n o in i i g n r 11 not known in v n . 

lr limit tion o xomorphi m r m ini u to th ir in ilit to lr n 1 

mor th n on in x t tim th t i w r mi ing n option to int rm i t 1 

tor oil tion o in i . ow th m lv r uit v r w 11 or thi 

in x uff ring n wh n w r going to n r ur ion lr m or 

in tion .1 thi will in t turn out to lr m or pro ing th 

with th uff r lr n in lr n . n tion .2 w pr nt om x mpl . 

7.1 Buffered Decomposition of IDTs 

n lrromorphi m t k thr rgum nt our t rg t n 

uff r or toring n liv ring in x v lu . n lrromorphi m in 

orm 11 work ollow th i ompo n (i) rom th r ult om 

r h in x v lu r omput th t r in rt into th uff r n (ii) 

p rt o th r ult i in rt into th t rg t . mm i t 1 t r th t th 
uff r i r qu t to i 1 n win x whi h i th n u in th n xt it r tion 
to ompo th r m ining v lu . 



L t 


(a, a) 


n 


, , tri lg 


r with 




(a) 


(a) 


1 1 


( , ) 


1 


i lg r 


with 


( ) 


( ) n 1 1 




( ,-) 


n M, 


i lg r 


with 


( ) 


(-)• 


i th 


t p 0 


in 


X V lu . 


t i hr 


tw 


n th t 


p 0 n 


n 


w 


um th 


t 


11 un tor 


1 1 1 


n 


r 1 t 


tion 0 i 


un tor 


h ving 


X 




th ir r t 



rgum nt. 
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11 th rol o th un tor n n th rgum nt t p o th 

our on tru tor n tru tor r p tiv 1 n n th r ult 

t p o th our tru tor. n th rgum nt t p o th uff r 

on tru tor n n th r ult t p o th uff r tru tor. 

hi m n th t n rr in x v lu wh r th t rg t o 

in g n r 1 not. 

n th ollowing w u v ri 1 n m th t in i t th ir t p or x m 

pi g i n 1 m nt o ( ) n hg n 1 m nt o ( ( ))■ v lop 

th nition o n hromorphi m t p t p oil ting r quir m nt n 
in r m nt 11 xing ign i ion . h on tru tion i umm riz in igur 
1 . 



h a x I g i 

c -<■ G(A) x B s- H(A) x B ^ K(B) 




M(C ) ■« H(A + C ) ^ H(A + G(A) x B) ^ H(A) x J(B) J{B) 

f H(I + h) 92 

Fig. 1. t gori 1 nition o n hromorphi m . 

ir t n hromorphi m ( ) t k n rgum nt n uff r n pro 

u v lu o th t rg t . hr or h th ollowing t p 

( )x - 

in th tru tor i 1 n 1 m nt h w h v to ppl un tion 

to h to n 1 th r ur iv ppli tion o th n hromorphi m. t r th 

r ur iv ppli tion w ppl un tion xtr ting r 1 v nt in orm tion 

to ggr g t th on tru tor o th t rg t 

xt w xpl in how to o t in uit 1 nition or . h n lrromor 
phi m lr to p r orm th ollowing t p 

1. niti 11 ompo th with th uppli in x th t i h ce{ G )• 

2. xtr t r lr in x v lu rom h to in rt into th uff r. ow 

thi houl on i ppli tion pi n it i p i p r m t r 

un tion \ . 

3. n rt th r h in x v lu into th uff r n r tri v th n xt in x 

v lu ( ) i rom th uff r or urth r ompo ition o th . thu o t in 

om thing lik 

i . . . o o o i( H ) 
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h ot ” in i t th t tu 11 i 1 v lu j o whi h i i in g n r 1 
onl p rt. 

ot th t i not onl h to xtr t r h in x v lu ut 1 o h to 
rr ng th m prop rl roun th uff r o th t n ppli . hu th 



r ult mu t o t p ( ) 


n w 


g t 
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) X — ( 


) 






n now ompo 11 tlir 


t p . 


ith 








a x 
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) X — ( 


) x 
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) x — ( ; 


) 






w o t in ( i) o o i) 


o a x 


0 t p 
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) X -K ( 


) X 


( ) 




ow two thing r m in to 


on 










4. om in th r m ining 
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( p rt o 


h) 


n th n xt in 


x v lu 


i into v lu hg th t llow 


to 


ompo 


in 


x i (in 


r ur ion 


tru tur pi ). g 


in thi 


i ppli tion 


P 


i n houl 


th r or 



pi p r m t r un tion 2 ( ) x ( ) — > (())• 

1 t th r lilting uff r ( rom j) or i tri ution into hg th tru 
tur ont ining th r m ining /n xt in x om in tion . li 1 tion i 

ir t th ppli tion n r quir urth r un tion 2 ( ) — ► 

( i tri ution into hg oul hi v ). 

ow pro 1 m o ur i j o not ont in uff r v lu t 11. hi u u 11 

will o ur i th uff r i xh u t (th n j will or x mpl ()). ow in 

or r to not ompli t th t ping urth r it m t to om in 2 n 2 

into on un tion 2 ( ) x ( ) — > ( ( ) x ) th t i uppli th 

progr mm r n th th n 1 11 th ov int rn 11 . 

ut j i not gu r nt to ont in uff r v lu it might w 11 il 
to pro u n xt in x v lu ( g in or x mpl in th th uff r i x 

hut ). n th t w nnot i tri ut uff r n w nnot v n uil 

v lu gh- h n w impl p j o th t th v lu n u n 

liuwhv 2 ( ) x ( ) — i ()+ ( ( ) x ) whi h n 1 o 

writt n moving th um into 





2 


( ) 


x ( )- 


( + ( )x ) 






h 


v not t i u th 


wh n 


a il to pro u n w 




V lu . 


hi 


oul w 11 h pp 


n i th 


r quir in 


x ompo ition i not 


po 


i 1 . n 


th t 


th ol un 


ompo 


v lu 


( rom g) houl t k 


n 


n om 


in 


with th uff r 


(i v il 


1 oth rwi 


th r ur ion top ). 


ut 


in G 



i not v il 1 n mor th i t olution i to r 1 on ppropri t 1 pt 
nition o n a th t i in t o impl r turning () a oul w 11 
n to r turn it rgum nt un h ng wli n v r ompo ition i not po i 1 . 
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ription 0 


ii 


il 


imm i t 1 


top 
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pr rv (ol ) 
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n 
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ok 


il 


ju t p H 
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top 


ompo ition 
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ok 


norm 1 r ur 
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h n v r i u ul th r ult tpo 2 i ( ( ) x ) oth rwi it i 
( )■ 



ow w n orm 11 


n 


n hromorphi m. iv n th un tion 


( 


+ 


) — > M( 


) 


1 ( 


) X 


- ( 


) 


2 ( 


) X 


( )- 


( + ( )X ) 


, synchromorphism 


to 


i n 


th 1 t olution 0 th ollowing 



qu tion 

o o ( + ) o 

wh r 



not th 



2 ° ( 1, 0 o i)oaX 



n hromorphi m 



a 1 




7.2 Examples 

L t u gin with xpr ing pth r t r h ( ) n hromorphi m. 

ought pok n ompo gr ph xtr ting p rti ul r no ont xt 

pu hing th u or rom onto t k n xtr ting th top o th t k 

to ontinu gr ph ompo ition. n ition p rt o i ggr g t in t rg t 

or x mpl th vi it no r put into li t. 
hu w n t k lift r with on tru tor th t n in rt li t o no 

n u th ollowing n Q,Lx i lg r (-H- i th un tion 

or on t n ting two li t ) 

Stack ( Nil, 4f , out-Lx ) 

n u th List or oil ting vi it no ut w h v to ount or 

th th t vi it no i not v il 1 or in rtion into th r ult li t wh n 
v r th gr ph ompo ition il . h r or w 11 th “option” or “m 
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t p Oa to wr p no . in 11 w nnot ir tl u th Grx.Y, x, Grx,Y 

tri lg r Graph rom tion in w r quir th tru tor to p 

th rgum nt gr ph i tru tion i not po i 1 . th r or r n 





degraph ( , ) 


(_ + 


) ( degraph{ , )) 




Graph 


( empty , embed , 


degraph ) 


o umm riz w h v th un tor 






+ CtXx.Y x Q, 


L x n 


M L 1+x ( !+(! + _) 


IX ). 


hi giv 


th ollowing t p ( 


n 


r th rri r o gr ph t 


k 


n li t 


n n Y r th t p 


o no 


n no 1 1 ) 










( ) x 




( ) 


+ Ctxx,Y x 




( ) 1+ x 




( ) 


1 + x 








M( ) 


1 + ( 1 + ) X 


xt w 


n th un tion i, 2 


n 


1 P ir 


th u or ( 4) 0 th 


xtr t 


ont xt ( 1) or n mpt 


li t 


with th 


uff r n th r or lw 


r turn 


th on It rn tiv ( 2) 0 


• ( 


)■ 






1 2 0 


( Nil, 


40 ! ) X 



2 om in th r m ining gr ph n th n xt in x n i tri ut r h in i 

into th r m ining t k. t 1 oh to pr rv ompo v lu or in rtion 

into 2 tu 11 ontrol th iff r nt o th r ur ion 

(i) gr ph ompo ition lr il n th t k i xh u t th r ur ion i 

topp th gr ph whi lr i p onl or t ping r on will ignor 

(ii) gr ph ompo ition il n n w in x i i v il 1 pro with 

ompo ing th ol gr ph ( liv r th mo i degraph ) t i. 

(iii) gr ph ompo ition i 1 ont xt n r m ining gr ph ut th t k 

i xh u t t rmin t r ur ion n p o th t th 1 t vi it no 

n put into th t rg t li t. 

(iv) gr ph ompo ition i 1 ont xt n r m ining gr ph n n w 

in x i i v il 1 thi i th “norm 1” r ur ion p to 1 t 

xtr t th vi it no n ontinu r ur ion with ompo ing t i. 

or r ilit w provi pointwi nition o 2- 

2 (l ,l()) ll 2 (l ,R (i, )) lr((*, ), ) 

2 (r( , ),l()) R( ) 2 (a( , ),r(«, )) R( ,r((*, ), )) 

in 11 th nition or ollow th tru tur o r ult i 1 2 (i) 

on t rmin tion unit v lu i r turn whi h i m pp th t rg t 

into Nil. (ii) no ont xt i v il 1 uil p iro t() n th r ur iv 1 

omput li t o no . h “non ” v lu () will in rt into thi li t n 
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n v ntu 11 r mov ppl ing po t pro ing un tion k ping onl 

th no . (iii iv) xtr t th vi it no rom th ont xt n p ir it with th 

mpt li t (on t rmin tion (iii)) or th r ur iv 1 omput li t (in (iv)). 



(ll ) 


-o 




(lr ) 


r(l(), ) 


(r( ,L )) 


R (r 


( 2 ( )), mi ) 


( R ( )) 


«(«( 2 ( )), ) 


n n 




ollow 












9i 






dfs List <y 


Graph Stack 

92 




o o viou 


how to 


xpr r 


th r t r h w 


n ju t u titut 



qu u uff r or th t k uff r n w o t in 

Sl 

bfs List 4 -t Graph ^ Queue 

J 92 

n 1 o xpr mor ompl x lgorithm or x mpl ijk tr lgorithm 
or n ing lrort t p th . hi i hown in th long v r ion o thi p p r 

h v onl hown gr ph lgorithm x mpl or n lrromorphi m 

( urth r x mpl r rim minimum p nning tr lgorithm n ru k 1 

minimum p nning tr lgorithm) n in t xpr ing gr ph lgorithm 
in t n o x r ur ion h m w th m in motiv tion or v lop 
ing n lrromorphi m . ow v r w li v th t th r r iff r nt ppli tion 
r . or x mpl th pi n w p p r igm or lgorithm o omput tion 1 

g om tr m to t th pr nt h m th uff r n u to 

impl m nt th w p lin t tu tru tur n th i oil tion o g o 

m tri o j t (whi h how v r i nn in x or r mo t o th tim o 

th t in x i not lw n ). 

8 Conclusions 

lr v mon tr t how to xt n t gori 1 tr t t t p to in x 

t t p n w h v hown nition o r ur ion op r tor op r ting on 
th t t p . ith th om in tor w n now xpr lgorithm th t 

u t t p in r n om m nn r. 

lr n xt t p i to inv tig t th tr n orm tion o u h lgorithm into 
i nt progr m . hi n go long th m lin in intro u ing li r ri 

o i nt impl m nt tion n ning impl optimizing tr n orm 

tion th t utom ti 11 It th impl m nt tion . 
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1 Introduction 

hi p p i th ol o omput tion 1 mon in th not tion 1 

m nti o u nti 1 v th t h n v lop p t o th L p oj t 
(Logi o j t- i nt og mining) 11 15 . hi v m nti p ovi 
th i o o m 1 oning out v p og m u ing th o m p ov . om- 
pil li n v lop 11 th L tool wlii h giv n u nti 1 v 
p og m g n t it m nti in o m th t n v input to th o m 
p ov . h th o m p ov u ntly uppo t 13 n 11 1 

o th L tool n g n t th m nti o v p og m in v 1 

o 11 th o i . no th im o th L p oj t i to on out 
1 p og mining 1 ngu g w t n 11; th v m nti th o ov 

11 o u nti 1 v in lu ing t il u h x ption k n nont - 

min tion. t h n u to on out xi ting v p og m o in t n 

to p ov n inv i nt p op ty o th to 1 in th v t n li y 

will not i th not tion 1 m nti o 11 o th v on tut 

in thi p p ut on nt t on th u o mon to o g ni th m nti 

om ingl p p tiv . not tion 1 m nti o v i mo ompli t 

th n th m nti typi lly on i in t xt ook on not tion 1 m nti . 

ot only o it involv th po i ility o nont min tion (u ing th mili _L) 

ut it 1 o involv iff nt o m o upt t min tion o p og m u h 
x ption n th iff nt w y o “jumping out o m tho n p tition 

vi break return n continue t t m nt . 

how th t th omput tion 1 mon pp o h 12 p ovi u ul 1 v 1 
o t tion n goo m n o o g nizing 11 th ompli tion th t om 

with ning th m nti o 1 p og mining 1 ngu g lik v . h p p 

lop ovi post hoc ju ti tion o th v m nti u in th L 
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p oj t y giving om o th nt 1 p op ti o th mon i t u tu n 

o th int p t tion o om p ti ul v on t u t . 

nt tingly th v m nti u in th L p oj t h o igin lly 

n v lop om o lg ip p tiv 16 9 10 . hi p p tiv o u 

on th t t p lk ox n 1 to u ul notion lik 1 inv i nt 

n i imil ity. h omput tion 1 mon vi w i iff nt. t k p th t t 

p x n o u on th ( un tion 1) input-output h viou . t took u 
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o pon to v ompo ition n it xt n ion to v xt n ion. u th - 

mo th horn t in it K1 i li t go y h v po t u tu . xt in tion 5 

whil t t m nt n u iv t t m nt tu i in thi m wo k. t i 

hown how n op tion 1 nition o whil t king no m liti into ount 
n i 1 t x point — lik in t n not tion 1 m nti . 

h po t u tu o K1 i li horn t llow u to 1 with u iv t t m nt 

in th u u 1 w y. hi whol omput tion 1 mon pp o h h (1 o) n 

o m li in . hi i i fly i u in th n 1 tion 6. 

2 Preliminaries 

h 11 m k u nt u on- ypo ut X\ X n o t Ij with 

p oj tion un tion Ti t X\ X n — > X;. h mpty pout wh n n 

0 i ingl ton t whi h i w itt n 1 . 1 o u n- y 

op o u t (o i joint union ) X\ + + X n with op oj tion (o inj tion ) 

Ki X;, — > X\ + + X n . h in o i t “ on t u tion whi h i 

p h p not o mili giv n n un tion f t X t — > Y th i uni u un tion 1 

f X i + + X n — > Y with f o Ki fi o 11 1 i n. h 11 w it 

f{z) CASES 2 OF 

« 1O1) >-> 

Kn(Xn) fn{Xn) } 

hi un tion m t h i z X\ + + X n i o th o m Ki(xf) n ppli in 

th t fi to Xi . 
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3 Java Semantics for Verification 

hi tion xpl in th nti 1 o th m nti o ( u nti 1) v u 
in th L p oj t. u h it xi t in th o m o n 11 / L 

nition in high o logi in o- 11 p lu 1 whi h o m th i o 
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v ntion 1 not tion o 1 + S i S . h 1 + ■ ■ ■ option in th ult typ ign 1 
nont min tion (o “h nging ). 

imil to p og m t t m nt n xp ion e po i ly h ving i ff t 
i int p t un tion 



g in th t +-option 1 in th ult typ ign 1 non-t min tion. h on 
option i o nom It min tion whi h o xp ion (o typ B) yi 1 t t 
n o i - ff t n ult v lu in B. 

n 1 p og mining 1 ngu g lik v how v thing mo ompli- 
t . t t m nt n xp ion in v n not ju t li ng o t min t no - 

m lly th y n lot min t uptly. xp ion n only t min t uptly 
u o n x ption ( e.g . th ough ivi ion y 0) ut t t m nt my 1 o 
t min t uptly u o return (to xit om m tho 11) break 

(to xit om lo k p tition o wit h- t t m nt) o continue (to kip th 

m in o p tition). hit two option n o u with o without 1 - 

1. on u ntly th ult typ o t t m nt n xp ion will h v to 
mo ompli t th nth 1 + S n 1 + (S B ) ov . h ult typ o 

t t m nt n xp ion StatResult(S') n ExprResult(S l , B) wh 

StatResult(S') 1 + S + StatAbn(S') 

ExprResult(S', B) 1 + (5 B + ExprAbn(S') 

StatAbn(S') n ExprAbn(5) th typ o t t m nt n xp ion 
no m liti n low. 

L t in th mon i iption w h 11 t t w y om th p ti ul 

h p o th no m liti ut now w w nt to how wh t lly h pp n in 

th m nti o v (th t i u o v i tion). how i 11 
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th no m lity option in pp op i t nition involving t t p 

it no m 1 t min tion o t t m nt i ptu vi ou option 

StatAbn(S') (5 RefType + S + (5 (1 + String) + (S (1 + String 
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wh RefType n String on t nt t u o n n t ing 

t +-option S RefType i n x ption ult on i ting o 
n n to n x ption. h on +-option i o tu n ult th 

thi on o k ult (po i ly with t ing 1 1) n th ou th on 

o ontinu ult ( 1 o po i ly with t ing 1 1). 

in x ption th only no m liti th t n ult om xp ion 
w h v 

ExprAbn(S') S RefType. 
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4 The Monad for Java Semantics and Its Properties 

hi tion int o u n pp op i t mon Jo v t t m nt n xp 
ion • t ( t go i 1) p op ti inv tig t in om t il with mph i 
on xt n ion n ompo ition n on th o on horn t o th K1 i li t - 
go y Kl( J) o th mon J. 

h t t p i to impli y th itu tion om th p viou tion. hi i 

on y igno ing th ompli t t u tu o v no m liti n u ing on 

x t E in pi o oth StatAbn n ExprAbn. h n w n t t m nt 

p i 1 o m o xp ion n m ly with ult typ 1. hu ou g n 1 
t t t n o m un tion o th o m 

5 A >- 1 +(S B)+(S E 

ithin th L m nti th y g o lg 

S 1 + (S B) + (S E A 

ut h w h 11 look t th m mo phi m 

A >- 1+(S B) + (S E S 

in th K1 i li t go y o mon . i u ying th two p nt tion o 

ou uiv 1 nt ut th y giv iff nt p p tiv . n th o lg i vi w 

th t t p S pi y nt 1 ol in th mon i vi w t t i ju t on o 

th ing i nt o th mon lik p ti lity n x ption . 

Definition 1. Let Sets be the category of sets and functions. Fix two sets E 
for exceptions and S for states. A functor J Sets — ► Sets is defined by 

J{A) (1 + {S A) + (S E) S (3) 

It forms a monad with unit and multiplication natural transformations: 

4 >■ J{A) J\A) ^ >■ J(A) 

given by 

t]a(ci) Ax S.K 2 (x,a) jA(f) Ax S. CASES /(x) OF 

K\(u) i— > Ki(u), 

K 2 {x ,g) g(x ), 
k 3 (x , e) i-> k 3 (x , e) }. 
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t i not h to h k th t th th mon u tion ha ° Vj(A) i Ha ° 
i n Ha ° J(ha) Ha ° HJ(A) ti . oti th t th mon 

J in o po t ing i nt om th i omput tion 1 mon int o u 

in 12 th p ti lity mon A 1 + A th x ption mon A i— > A + E n 
th i - ff t mon A i— > [S A) 5 , ut J i not o t in vi ompo ition 
om th i mon o th mo ul pp o h to omput tion 1 mon 

om e.g. 3 i not 1 v nt h 



4.1 Extension and Composition 



t i olklo knowl g th t v y un to F Sets — > Sets i t ong with 
t ngth n tu It n o m tion st a,b A F(B) — > F(A B) giv n y (a, z) i— > 

F(Xb B. (a,b))(z). hi t ngth nition ppli in p ti ul to th ov 

un to J. xpli itly 

st A , B (aJ) Xx S. CASES f{x) OF 

Kl(u) l-> Ki(tt), , . 

k 2 (x ,b) !-> K 2 (x , (a, b)), ( 

k 3 (x , e) i-> k 3 (x , e) }. 

n o to how th t J i strong monad n not ju t t ong un to w 

h v to h k th t ition lly th ollowing i g m ommut . 



id rtn . , 

A B ^ A J(B) 

St A,B 

J(A B) 




A J 2 (B) 

st A,J(B) 

J(A ^(B)) 

J(st a,b) 

J 2 (A B) 



id (ib 



• A J(B) 



St A,B 



VAxB 



J(A B) 



hi i n y x i . 

ing thi t ngth m p th i t n w y to tu n un tion f A B 
J(C) into un tion f* A J(B) — » J(C) n m ly 



f* HC°J(f) ost A,B (5) 

xpli itly thi “K1 i li xt n ion n i on a A n g J{B ) 

Xx S. CASES g(x) OF 
Ki(u) I— > Ki(u), 
k 2 (x ,b) i ^ f{a, b)(x ), 
k 3 (x , e ) i -> k 3 (x , e ) } 
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Example 1. 11 th t v (lik ) h two onjun tion n m ly “ n & n 

“ on ition 1 n && 5 15.22 . h t on (&) lw y v lu t oth 

gum nt ut th on on (&&) only o o i th t gum nt v lu t 
to t u . h iff n i 1 v nt in th p n o i - ff t non-t min tion 
o x ption . how how oth th op tion n o t in vi K1 i li 
xt n ion t ting om th t n onjun tion op tion bool bool — > 
bool. 

i t th on - t p xt n ion (r^ooi ° )* bool J(bool) — > J(bool) only h 

to v lu t it on gum nt. w pping th gum nt pp op i t ly — vi 

th un tion swap with swap (x,y) (y, x) — n xt n ing g in yi 1 

. def 

J(bool) »- J(bool) 

((»7bool )* swap swap 



Ax S. CASES fi{x) OF 

Ki(ux) l-> Ki(ui), 

K 2 (xi,bi) i— > CASES f 2 (xi) OF 

ki(u 2 ) ki(u 2 ), 

K 2 (x 2 ,b 2 ) >-> n 2 {x 2 ,bi b 2 ), 

K3(x 2 ,e 2 ) !-> n 3 (x 2 ,e 2 ) }, 

K 3 (xi,ei) i-> K 3 (xi,ei) } 

h on ition In n o t in y on xt n ing th uxili y un tion 
t J(bool) bool —i J(bool) giv n y t(f,b) IF b THEN / ELSE ?7booi (false). 

J(bool) J(bool) ~ s- J(bool) 

t* swap 

hi on lu th x mpl . 

tu n to th K1 i li t go y K1(J) o th mon J. t o j t t 

n it mo phi in A —> B un tion A — > J(B). li i ntity m p A — > J{A) 
in K1(J) i th unit pa t A n th “K1 i li ompo ition g f A — > J(C) o 



two mo phi m f A —* J{B ) n 


g B -> J{C) in K1(J) i t n 


ly n 


9 / 


he ° J(g) ° /• 


(6) 


n v ling yi 1 o a A 







{g f)(a) Xx S. CASES f(x) OF 
Ki(u) i— > Ki(u), 
k 2 {x ,b) i i g(b)(x ), 
k 3 (x , e) i-> k 3 (x , e) } 

hu K1 i li ompo ition i i lly th m v ompo ition ; om (1) 

i f o not t min tot min t uptly o o g f n i / 1 min t 
no m lly n p o u u ottthnpix ut on thi t t . 



J(bool) 
xpli itly 

h h 




